b" THE FEDERAL BUREAU OF\n    INVESTIGATION\xe2\x80\x99S\n   IMPLEMENTATION OF\nINFORMATION TECHNOLOGY\n   RECOMMENDATIONS\n     U.S. Department of Justice\n   Office of the Inspector General\n            Audit Division\n\n        Audit Report 03-36\n         September 2003\n\x0cFEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S IMPLEMENTATION\n  OF INFORMATION TECHNOLOGY RECOMMENDATIONS\n\n\n                          EXECUTIVE SUMMARY\n\n      Following the September 11, 2001, terrorist attacks, the\nAttorney General and the Director of the Federal Bureau of Investigation\n(FBI) made clear that prevention of terrorism is the top priority of the\nDepartment of Justice (DOJ) and the FBI. Effective use of information\ntechnology (IT) is crucial to the FBI\xe2\x80\x99s ability to meet this priority as well as its\nother critical responsibilities. For FY 2003, the FBI allocated nearly\n$606 million to information technology projects.\n\n      As computer technology has advanced, federal agencies have become\nincreasingly dependent on information systems to carry out operations and\nprocess, maintain, and report essential information. The FBI\xe2\x80\x99s computerized\ninformation systems affect many mission-critical activities, such as financial\nmanagement, security of sensitive and classified data, and investigative\nwork.\n\n       Recognizing the importance and vulnerability of data processed,\nmaintained and reported by the FBI, the Office of the Inspector General\n(OIG), the General Accounting Office (GAO), and other entities have\nconducted audits, investigations, and reviews of the FBI\xe2\x80\x99s management of IT.\nFor years, reviews have found major weaknesses associated with the FBI\xe2\x80\x99s\nIT. The FBI has made upgrading its information technology one of its top ten\npriorities.\n\n      To assess the FBI\xe2\x80\x99s progress in improving its IT, the OIG conducted this\naudit of the FBI\xe2\x80\x99s implementation of prior OIG and GAO recommendations.\nTo perform our audit, we conducted 27 interviews with officials from the FBI,\nOIG, and GAO. The FBI officials interviewed were from the Inspection\nDivision, Information Resources Division, and National Infrastructure\nProtection Center. Additionally, we reviewed over 100 documents including\nprior GAO and OIG reports, Congressional testimony, and documentation on\nthe FBI\xe2\x80\x99s process for tracking the resolution of recommendations.\n\n\n\n\n                                       -i\xe2\x80\x93\n\x0c1. Policies and Procedures for Following-Up on Report\n   Recommendations\n\n       The Office of Management and Budget (OMB) and DOJ have issued\npolicies and procedures for following-up on recommendations of audit\nreports. According to OMB Circular A-50, audit follow-up is an integral part of\ngood management, and is a shared responsibility of agency management and\nauditors. OMB Circular A-50 requires agencies to establish systems to assure\nthe prompt and proper resolution and implementation of audit\nrecommendations. These systems are to provide for a complete record of\naction taken on both monetary and non-monetary findings and\nrecommendations.\n\n      Department of Justice Order 2900.6A, Audit Follow-Up and Resolution,\nestablished Departmental policies and criteria for the follow-up and\nresolution of audit findings and recommendations to ensure that all OIG\naudit reports are adequately and timely resolved, and that all resolution\nactions are consistent with the governing laws and regulations. The order\nstates that the head of the DOJ component is responsible for overall audit\nresolution and follow-up activities within his or her organizational unit and is\naccountable to the Deputy Attorney General. Further, the DOJ component\nshould establish an audit follow-up and resolution system that ensures\nwritten comments on audit findings and recommendations are made within\nfour months after the issuance of the report.\n\n        The order also states that DOJ components should assign a high\npriority to the immediate implementation of the order so that the DOJ will be\nin full compliance with the legislative and regulatory requirements pertaining\nto the timely resolution of audits. Although subjective, the timeliness of\ncorrective actions is assessed on a recommendation-by-recommendation\nbasis due to the inherent difficulties associated with implementing certain\nrecommendations.\n\n      When issuing other OIG reports that contain recommendations, such\nas special investigations or reviews, the OIG elicits responses from\ncomponents regarding planned corrective actions. When received by the\nOIG, the responses are reviewed to determine whether the planned\ncorrective actions meet the intent of the recommendations. Periodically, the\nOIG makes subsequent inquiries with components to monitor the\nimplementation of these actions. As with audit reports, component\nmanagers are ultimately responsible for ensuring that recommendations are\nimplemented in a timely manner.\n\n\n                                     - ii \xe2\x80\x93\n\x0c2. The FBI\xe2\x80\x99s Implementation of IT Recommendations\n\n      Since 1990, OIG reports have identified numerous deficiencies with the\nFBI\xe2\x80\x99s IT program, including outdated infrastructures, fragmented\nmanagement, ineffective systems, and inadequate training. While the FBI\nhas implemented many of the recommendations contained in these reports\n(93 out of 148), significant further actions are necessary to ensure that the\nFBI\xe2\x80\x99s IT program effectively supports its mission. For example, recent audits\nand reviews conducted by the OIG have found repeated deficiencies with the\nFBI\xe2\x80\x99s IT control environment and compliance with information security\nrequirements.\n\n      These repeated deficiencies indicate that, in the past, FBI management\nhad not paid sufficient attention to improving its IT program. Until recently,\nthe FBI lacked an effective system of management controls to ensure that\nrecommendations issued by the OIG are implemented in a timely and\nconsistent manner. However, current FBI leadership has stated that they\nare committed to enhancing controls to ensure recommendations are\nimplemented in a consistent and timely manner. The FBI has recently\nestablished a system to facilitate the tracking and implementation of\nrecommendations. Additionally, the FBI expects significant improvements\nfrom its current IT modernization efforts, which the FBI believes will correct\nmany of the deficiencies identified by the OIG.\n\nA. OIG Reports on the FBI\xe2\x80\x99s IT\n\n      To assess the FBI\xe2\x80\x99s progress in implementing recommendations\ndirected toward improving its information technology, the audit examined\nthe following OIG reports that related to the FBI\xe2\x80\x99s use and management of\nIT:\n\n     \xe2\x80\xa2    the 1990 audit report on the FBI\xe2\x80\x99s automated data processing\n          (ADP) controls;\n\n     \xe2\x80\xa2    the 2002 audit report on the FBI\xe2\x80\x99s IT investment management\n          (ITIM);\n\n     \xe2\x80\xa2    five detailed reports issued in support of annual financial statement\n          audits for FYs 1996 through 20011 on the FBI\xe2\x80\x99s control environment\n          over its IT systems;\n\n\n     1\n         The OIG issued one report for FYs 1996 and 1997.\n\n                                         - iii \xe2\x80\x93\n\x0c      \xe2\x80\xa2   three audit reports pursuant to the Government Information\n          Security Reform Act (GISRA) issued for FYs 2001 and 2002; and\n\n      \xe2\x80\xa2   two special investigative reports that contained FBI IT-related\n          recommendations issued in 1999 and 2002.\n\n      For the 1990 ADP audit report and the 2002 ITIM report, we examined\nsimilarities between the reports\xe2\x80\x99 findings to assess the FBI\xe2\x80\x99s progress in\nimproving its IT. For the OIG\xe2\x80\x99s detailed IT reports, FY 2001 GISRA audit\nreport, and special reports, we obtained the status of FBI IT-related\nrecommendations. The table below summarizes the status of FBI IT-related\nrecommendations contained in these reports.\n\nSummary of the Status of IT Recommendations Issued to the FBI\n\n                      Number of Open     Number of Closed     Total Number of\n   Report Name       Recommendations     Recommendations     Recommendations\nOIG Detailed\nFinancial IT Reports          22                83                  105\nOIG FY 2001 GISRA\nAudit Report                  17                 6                   23\nOIG Special Reports           16                 4                   20\n               Total          55                93                  148\nSource: OIG analyses as of April 2003\n\n      The following sections provide background information on these\nreports and an assessment of the FBI\xe2\x80\x99s progress toward implementing\nIT-related recommendations contained in these reports.\n\n(1) Reports on the FBI\xe2\x80\x99s ADP Controls and IT Investment\n    Management\n\n      In 1990, the OIG issued an audit report entitled, \xe2\x80\x9cThe FBI\xe2\x80\x99s Automatic\nData Processing General Controls.\xe2\x80\x9d This report found 11 major internal\ncontrol weaknesses, many of which were still applicable 12 years later.\nSpecifically, the report found the following.\n\n      1. The FBI\xe2\x80\x99s phased implementation of its 10-year Long Range\n         Automation Strategy, scheduled for completion in 1990, was\n         severely behind schedule.\n\n      2. The FBI\xe2\x80\x99s Information Resources Management program was\n         fragmented and ineffective, and the FBI\xe2\x80\x99s Information Resources\n         Management official did not have effective organization-wide\n         authority.\n                                   - iv \xe2\x80\x93\n\x0c       3. The FBI had not developed and implemented a data architecture.2\n\n       4. The FBI had not adequately involved top management in\n          FBI Headquarters (FBIHQ) or the field offices in systems\n          development through an Executive Review Committee.\n\n       5. The FBI\xe2\x80\x99s major mainframe investigative systems were labor\n          intensive, complex, untimely, and non-user friendly and few\n          special agents used these systems.\n\n      Many of the weaknesses identified in the 1990 report on ADP controls\nwere mentioned again in the 2002 audit report on the FBI\xe2\x80\x99s ITIM. In\nDecember 2002, the OIG issued a report entitled, \xe2\x80\x9cThe FBI\xe2\x80\x99s Management of\nIT Investments.\xe2\x80\x9d The OIG concluded that the FBI had not effectively\nmanaged its IT investments because it had not fully implemented the\nmanagement processes associated with successful IT investments.\n\n      The ITIM report contained 30 recommendations directed toward\nimproving the FBI\xe2\x80\x99s management of its IT investments. Because our\nevaluation of the FBI\xe2\x80\x99s progress toward implementing recommendations was\nclose to the final issuance of the ITIM report, we did not assess the FBI\xe2\x80\x99s\nprogress in implementing the recommendations. However, our 2002 ITIM\nreport found that many of the weaknesses described in the 1990 report on\nthe FBI\xe2\x80\x99s ADP controls still existed.\n\n       \xe2\x80\xa2   The FBI\xe2\x80\x99s IT infrastructure was severely outdated.\n\n       \xe2\x80\xa2   The FBI\xe2\x80\x99s Information Resources Management program was\n           decentralized. The FBI had completed several restructurings,\n           including one in February 2002 that was intended to give the\n           Information Resources Management program more authority over\n           the divisions that manage IT.\n\n       \xe2\x80\xa2   The FBI still had not completed an enterprise architecture\n           framework, which included the technical and data architecture.\n\n       \xe2\x80\xa2   The FBI did not have formally established IT investment review\n           boards or committees until March 2002.\n\n\n\n       2\n         Data architecture is the identification and definition of major types of data within\nan organization.\n\n                                            -v\xe2\x80\x93\n\x0c      \xe2\x80\xa2   The FBI\xe2\x80\x99s major investigative systems remained labor intensive,\n          complex, non-user friendly, and many special agents still did not\n          use these systems.\n\n      The OIG concluded that the FBI\xe2\x80\x99s ability to completely and timely\nimplement the 30 recommendations listed in the ITIM report will, in part,\ndepend on management\xe2\x80\x99s commitment to do so. This management\ncommitment must be incorporated into a comprehensive process to ensure\nthat the recommendations are tracked and implemented.\n\n(2) Reports on the FBI\xe2\x80\x99s Control Environment over its Financial\n    IT Systems\n\n      The OIG conducts annual financial statement audits of the FBI, with\nthe most recent report covering FY 2001. Financial statement audits are\nintended to play a central role in (1) providing more reliable and useful\nfinancial information to decision-makers, and (2) improving the adequacy of\ninternal controls and underlying financial management systems. In support\nof the FBI\xe2\x80\x99s annual financial statement audits, the OIG has issued detailed\nreports since FY 1996 on the effectiveness of the FBI\xe2\x80\x99s general and\napplication controls over IT systems used to process financial transactions.\n\n     To conduct these reviews, the OIG used the GAO\xe2\x80\x99s Federal Information\nSystem Controls Audit Manual (FISCAM). The FISCAM describes the\ncomputer-related controls by category that auditors should consider when\nassessing the integrity, confidentiality, and availability of computerized data.\n\n       We found that the FBI made progress in correcting deficiencies\nidentified in the detailed reports supporting the annual financial statement\naudits from FY 1996 to 2001. Of the 105 recommendations contained in\nthese reports, 83 have been implemented and closed, and 22 are still open.\nThe following table summarizes the status of the FBI\xe2\x80\x99s IT control\nenvironment recommendations by FISCAM category.\n\n\n\n\n                                     - vi \xe2\x80\x93\n\x0c             Status of the FBI\xe2\x80\x99s Financial IT Control Environment\n                   Recommendations by FISCAM Category\n\n                           Number of Open       Number of Closed         Total Number of\n FISCAM Category          Recommendations       Recommendations         Recommendations\n\nEntity-Wide Security\nProgram Planning and\nManagement Controls                2                     6                       8\nAccess Controls                    10                    32                      42\nApplication Software\nDevelopment and\nChange Controls                    2                      6                      8\nSystem Software\nControls                           0                      7                      7\nSegregation of Duty\nControls                           1                      4                      5\nService Continuity\nControls                           2                     15                      17\nApplication Controls               5                     10                      15\nOther Financial-\nRelated IT Areas3                   0                     3                      3\n                 Total             22                    83                     105\nSource: OIG analyses as of April   2003\n\n      By implementing 83 of the recommendations, the FBI improved its IT\ninternal control environment. The FY 2001 report did not contain any\nsystem software control deficiencies.4 The FBI also made progress toward\ncorrecting deficiencies in entity-wide security program planning, access\ncontrols, application software development and change controls, segregation\nof duties, service continuity, and application controls.\n\n     Despite the progress, however, as of April 2003 material weaknesses5\nremained in the following general control areas:\n\n\n       3\n           These recommendations were not identified by FISCAM categories.\n       4\n         The FISCAM distinguishes system software controls from application software\ndevelopment and change controls. Beginning on page 12, we provide more detailed\ninformation on these general control areas.\n       5\n          As defined by the American Institute of Certified Public Accountants, a material\nweakness is a reportable condition in which the design or operation of one or more of the\ninternal control components does not reduce to a relatively low level the risk that\nmisstatements caused by error or fraud in amounts that would be material in relation to the\nfinancial statements being audited may occur and not be detected by employees in the\nnormal course of performing their assigned functions.\n\n                                          - vii \xe2\x80\x93\n\x0c      \xe2\x80\xa2   entity-wide security program planning and management \xe2\x80\x93\n          increasing the risk that the integrity of sensitive information can be\n          compromised;\n\n      \xe2\x80\xa2   access controls \xe2\x80\x93 increasing the risk of erroneous or fraudulent\n          financial transactions; and\n\n      \xe2\x80\xa2   application software development and change controls \xe2\x80\x93increasing\n          the risk of inaccurate and unauthorized software changes.\n\n      In addition to these material weaknesses, other vulnerabilities existed\nin the following internal control areas:\n\n      \xe2\x80\xa2   segregation of duty controls \xe2\x80\x93 increasing the risk that erroneous or\n          fraudulent transactions could be processed, improper program\n          changes could be implemented, and computer resources could be\n          damaged or destroyed;\n\n      \xe2\x80\xa2   service continuity controls \xe2\x80\x93 increasing the risk that during an\n          extended outage or disaster, information system processing\n          functions and vital business operations will be damaged and unable\n          to function since critical information and computer resources would\n          be unavailable or inaccessible; and\n\n      \xe2\x80\xa2   application controls \xe2\x80\x93 increasing the risk of inaccurate valuation or\n          allocation of data, and unauthorized transactions.\n\n       We also noted that 30 of the both open and closed recommendations\nwere repeated in subsequent reports on the FBI\xe2\x80\x99s financial IT systems\xe2\x80\x99\ncontrol environment. For example, the OIG\xe2\x80\x99s review for FY 1998 reported\nthat an automated tool was used to perform an assessment of the technical\ncontrols over the FBI\xe2\x80\x99s Finance Division Local Area Networks (LAN). The\nassessment found weaknesses in three areas of security: account\nrestrictions, system monitoring, and data confidentiality. In FY 1999,\nanother automated tool was used to perform the assessment of the technical\ncontrols over the FBI\xe2\x80\x99s Finance Division LANs. Although corrective action\nhad been initiated on the prior weaknesses found, the OIG reported that\nthese weaknesses still existed during FY 1999. The FY 2000 review stated\nthat auditing remained disabled on the Finance Division\xe2\x80\x99s Windows NT and\nNovell NetWare environments. In addition, according to the OIG FY 2001\nreview, although FBI management had stated that corrective actions have\nbeen taken with respect to the recommended settings for account\nrestrictions, system monitoring, and data confidentiality, the conditions\n\n                                     - viii \xe2\x80\x93\n\x0ccontinued to be identified during the annual financial statement audit\nprocess. Because of the uncorrected deficiencies identified in these audits,\nthe FBI is at increased risk to failures in its financial management and\ncomputer security functions.\n\n(3) Computer Security Reports in Response to GISRA\n\n      Beginning in FY 2001, the OIG was required by GISRA to perform an\nindependent evaluation of the DOJ\xe2\x80\x99s information security program and\npractices using standards developed by the GAO and the\nNational Institute of Standards and Technology (NIST).6 In May 2002,\npursuant to GISRA, the OIG issued an audit report on the FBI\xe2\x80\x99s investigative\nand administrative mainframe systems.\n\n       The NIST, in conjunction with GISRA, issued guidance detailing the\nspecific controls that should be documented by federal agencies in their\nsystem security plan. The purpose of the security plan is to provide an\noverview of the security requirements of the system and describe the\ncontrols in place or planned for meeting those requirements. The system\nsecurity plan also delineates responsibilities and expected behavior of all\nindividuals who access the system.\n\n      The NIST separated the security plan controls into three major control\nareas: (1) management controls, (2) operational controls, and\n(3) technical controls. Within each of the three control areas, there are a\nnumber of subordinate categories of controls. For example, technical\ncontrols include password management, logon management, account\nintegrity management, and system auditing management.\n\n       We found that the FBI made some progress in correcting deficiencies\nreported in the OIG FY 2001 GISRA audit. Of the 23 recommendations\ncontained in the report, 6 have been implemented and closed, and 17 are\nstill open. The following table summarizes the status of the FBI\xe2\x80\x99s FY 2001\nGISRA audit report recommendations by category.\n\n\n\n\n      6\n          The NIST is a non-regulatory entity of the U.S. Department of Commerce.\n\n                                          - ix \xe2\x80\x93\n\x0cStatus of the FBI\xe2\x80\x99s FY 2001 GISRA Report Recommendations by\n                           NIST Category\n\n                        Number of Open    Number of Closed     Total Number of\n   NIST Category       Recommendations    Recommendations     Recommendations\nManagement Controls               4              2                     6\nOperational Controls              2              2                     4\nTechnical Controls               11              2                    13\n                 Total           17             6                     23\nSource: OIG analyses as of April 2003\n\n      By implementing six of the recommendations, the FBI improved the\nsecurity of its investigative and administrative mainframe systems at its\nHeadquarters and Clarksburg Data Centers. These improvements included\n(a) defining and documenting all criticality levels used to classify\napplications, (b) establishing optimal operating system capacities and\nimplementing procedures to alleviate the near capacity usage, (c) fully\nimplementing and using the System Access Request function to document\nuser logon and verify that user access is commensurate with assigned\nresponsibilities, and (d) ensuring that the communication carrier signals are\nnot connected to unencrypted network devices.\n\n      Despite the progress made, as of April 2003 vulnerabilities remained in\nthe following areas:\n\n      \xe2\x80\xa2   security policies, procedures, standards, and guidelines;\n\n      \xe2\x80\xa2   system and network backup and restoration controls;\n\n      \xe2\x80\xa2   password management;\n\n      \xe2\x80\xa2   logon management;\n\n      \xe2\x80\xa2   account integrity management;\n\n      \xe2\x80\xa2   system auditing management; and\n\n      \xe2\x80\xa2   system patches.\n\n       The OIG assessed these vulnerabilities as a high-to-moderate risk for\nthe protection of the FBI\xe2\x80\x99s administrative and investigative mainframe\nsystems from unauthorized use, loss, or modification. These vulnerabilities\noccurred because DOJ and FBI security management had not enforced\ncompliance with existing security policies, developed a complete set of\npolicies to effectively secure the administrative and investigative\n                                      -x\xe2\x80\x93\n\x0cmainframes, or held FBI personnel responsible for timely correction of\nrecurring findings. Further, the report stated that the lack of timely and\neffective oversight from DOJ and FBI management caused inconsistencies in\nthe implementation of security guidelines and resulted in a weakened\nsecurity infrastructure.\n\n      The FY 2002 GISRA report on the Automated Case Support (ACS) and\nDRUGX systems, like the FY 2001 GISRA report, noted repeated deficiencies\nin general control areas. Specifically, vulnerabilities were noted within\npassword management, logon management, account integrity management,\nsystem auditing management, and system patches. The report further\nstated that, if not corrected, these security vulnerabilities threaten the ACS\nsystem and its data with the potential for unauthorized use, loss, or\nmodification.\n\n      According to the FY 2002 GISRA reports, the FBI did not maintain a\nsystem of recording, tracking progress, ensuring attention to, or determining\nthe completion of action in response to any information security vulnerability\nuncovered during a non-OIG review. As a result, the FY 2002 GISRA reports\nrecommended that the FBI determine the responsible organization for\ntracking and maintaining all vulnerabilities identified during audits and\nreviews. In addition, the reports recommended that the FBI develop a\nmechanism for tracking the vulnerabilities and the status of the associated\ncorrective actions resulting from all IT audits and reviews. Since September\n2002, the FBI has been developing new procedures and databases to assist\nwith the audit resolution and follow-up process. FBI officials informed us\nthat the Inspection Division now manages the audit follow-up and resolution\nprocess for both OIG and GAO audits. Additionally, for system audits, the\nFBI has reported that its Information Assurance Section has taken steps to\ncentrally manage the status of vulnerabilities and corrective actions.\n\n(4) Reports on Special Investigations of the FBI\n\n      Since 1998, the OIG has issued two special investigation reports\ncontaining significant FBI IT-related recommendations:\n\n      \xe2\x80\xa2   the 1999 report on the DOJ\xe2\x80\x99s Campaign Finance Task Force\n          investigation (Campaign Finance); and\n\n      \xe2\x80\xa2   the 2002 report on the FBI\xe2\x80\x99s investigation into the\n          Oklahoma City Bombing case (McVeigh).\n\n\n\n                                     - xi \xe2\x80\x93\n\x0c       These reports, among other issues, considered the policies and\nprocedures related to the management of information within the FBI, the\ndissemination of the information to organizations outside the FBI, and the\neffectiveness of the information technology utilized by the FBI. The reports\ncited deficiencies in the FBI\xe2\x80\x99s management of IT, and provided\n20 recommendations directed toward correcting these deficiencies.7 The\ntable below summarizes the status of the special investigation\nrecommendations made to the FBI by report.\n\n  Status of Special Investigation Recommendations by Report\n\n                     Number of Open       Number of Closed      Total Number of\n  Report Name       Recommendations       Recommendations      Recommendations\nCampaign Finance\nReport                        5                    0                    5\nMcVeigh Report               11                    4                   15\n            Total            16                    4                   20\nSource: OIG analyses as of April 2003\n\n\n      We found the FBI\xe2\x80\x99s current and planned corrective actions, including\nthe implementation of Trilogy, has the potential to address 16 of the\n20 recommendations that we examined from the Campaign Finance and\nMcVeigh reports. However, the ultimate success of Trilogy will not be\ndetermined until at least June 2004 when the final phases of the project are\nscheduled for completion.\n\n      The following section provides background information on Trilogy,\nsince its successful completion is critical to not only addressing OIG\nrecommendations, but also to the future of the FBI\xe2\x80\x99s IT program.\n\n(a) Background on Trilogy\n\n       Trilogy is an IT modernization project designed to upgrade the FBI\xe2\x80\x99s:\n(1) hardware and software or Information Presentation Component (IPC),\n(2) communication networks or Transportation Network Component (TNC),\nand (3) User Application Component (UAC). The IPC and TNC upgrades will\nprovide the physical infrastructure needed to run the applications from the\nUAC. The UAC is intended to replace five of the FBI\xe2\x80\x99s primary investigative\napplications in order to reduce agents\xe2\x80\x99 reliance on paperwork and improve\nefficiency. Through the creation of the Virtual Case File (VCF), a web-based\n\n      7\n         We included recommendations related to document management because FBI\ndocuments are generally produced electronically or managed in automated databases and\nsystems.\n\n                                        - xii \xe2\x80\x93\n\x0c\xe2\x80\x9cpoint-and-click\xe2\x80\x9d case management system, agents are expected to have\nmulti-media capability that will allow them to scan documents, photos, and\nother electronic media into the case file.\n\n      In November 2000, Congress appropriated $100.7 million for the first\nyear of the $379.8 million Trilogy project, which was to be funded over a\n3-year period. In January 2002, Congress supplemented the FY 2002\nTrilogy budget with $78 million to expedite the deployment of all three\ncomponents. This supplemental appropriation increased the total funding of\nTrilogy to approximately $458 million. Even with these additional funds, the\nFBI missed its July 2002 milestone date for completing the \xe2\x80\x9cFast Track\xe2\x80\x9d\nportion of the IPC and TNC phases.\n\n      In April 2003, the FBI Director reported to the Senate Appropriations\nCommittee that over 21,000 new desktop computers and nearly 5,000\nprinters and scanners have been deployed (IPC phase). Additionally, the FBI\nreported that it completed the Trilogy Wide Area Network (TNC phase) on\nMarch 28, 2003. The new network, which has been deployed to 622 sites,\nprovides increased bandwidth and three layers of security. According to the\nFBI, the network is highly expandable, so additional capacity or even\nadditional sites could be added as needed. This network replaces the FBI\xe2\x80\x99s\ndated local area and wide area networks, enabling FBI personnel to transmit\ndata at much greater speeds. Further, the FBI expects to use the network\nto transport the Investigative Data Warehouse, which will link 31 FBI\ndatabases for single-portal searches and data mining. Also, the network\nlays the foundation for improved information sharing with partner agencies,\nand other new applications, such as the VCF.\n\n      The VCF will serve as the backbone of the FBI\xe2\x80\x99s information systems,\nreplacing the FBI\xe2\x80\x99s paper files with electronic case files that include multi-\nmedia capabilities. The FBI expects to deploy the VCF in three releases.\nThe initial VCF release will consolidate data from the current ACS and\nIntelPlus systems and has a targeted completion date of December 2003.\nThis release is intended to allow different types of users, such as agents,\nanalysts, and supervisors, to access information from their desktop\ncomputers that is specific to their individual needs. This VCF release is also\nintended to enhance the FBI\xe2\x80\x99s capability to set and track case leads, index\ncase information, and move document drafts more quickly through the\napproval process with digital signatures.\n\n      The second and third releases are intended to upgrade three other\ninvestigative applications into the VCF: the Integrated Intelligence\nInformation Application (IIIA), Telephone Application, and Criminal Law\n\n                                    - xiii \xe2\x80\x93\n\x0cEnforcement Application. These releases have a targeted completion date of\nJune 2004 and are intended to provide agents with Audio/Video Streaming\ncapability and content management capability. According to FBI\ndocumentation, content management should help agents access information\nfrom the FBI\xe2\x80\x99s data warehouse, regardless of where in the system the\ninformation was entered, providing a single query for all of the FBI\xe2\x80\x99s systems\nthat are connected to the Investigative Data Warehouse.\n\n      The OIG ITIM report, issued in December 2002, stated that the VCF,\nwhich is recognized by FBI officials as the most important aspect of the\nTrilogy project in terms of improving agent performance, was at high risk of\nnot being completed within the funding levels appropriated by Congress.\nFBI officials confirmed the OIG\xe2\x80\x99s assessment in January 2003 when they told\nus that an additional $138 million8 was needed to complete Trilogy, bringing\nthe total project cost to $596 million. Despite the cost overruns, FBI officials\nstated that they still expect to deliver the first release of VCF in\nDecember 2003, and that funding for the second and third releases of the\nVCF has been secured.\n\n       The following sections provide further details on the IT and document\nmanagement related deficiencies noted in Campaign Finance and McVeigh\nreports, as well as an assessment of the how the VCF will address these\ndeficiencies.\n\n(b) Campaign Finance Report\n\n       In July 1999, the OIG issued a report entitled, \xe2\x80\x9cHandling of FBI\nIntelligence Information Related to the Justice Department\xe2\x80\x99s Campaign\nFinance Investigation\xe2\x80\x9d (Campaign Finance). In response to a request by the\nAttorney General, the OIG reviewed the FBI\xe2\x80\x99s practices for disseminating\nintelligence information associated with the Campaign Finance Task Force\n(Task Force) investigation.\n\n      With respect to the use and maintenance of the FBI\xe2\x80\x99s computer\ndatabase systems, deficiencies were noted in: the Task Force\xe2\x80\x99s familiarity\nwith the FBI\xe2\x80\x99s databases, the FBI\xe2\x80\x99s practices and policies that limited the\nusefulness of the databases, the training of FBI personnel on the ACS\nsystem, and the entry of foreign names into the FBI\xe2\x80\x99s databases. These\nfindings highlighted the need for FBI and Task Force personnel to be familiar\nwith information search techniques within the FBI\xe2\x80\x99s databases, how\ninformation should be entered into the databases in order to take advantage\n\n      8\n          Of this amount, $57 million was needed for the VCF.\n\n                                          - xiv \xe2\x80\x93\n\x0cof search capabilities, and potential errors in data entry to ensure that all\npossible searches within the databases are conducted. Of the Campaign\nFinance report\xe2\x80\x99s 18 recommendations, 5 pertained to the IT-related\ndeficiencies. These five recommendations related to revising the FBI\xe2\x80\x99s ACS\nand IIIA systems to require the uploading of documents and mandatory\nindexing of names, and training the users of these systems.\n\n        Regarding the uploading of documents, the FBI issued\nElectronic Communications (EC) in July 2000 and June 2002 that required all\ne-mails and ECs to be uploaded into the ACS system, unless otherwise\nprohibited by their sensitive nature. Additionally, FBI officials stated that\nwith the VCF, documents will have to be uploaded since the VCF will contain\nall official records and case files.\n\n      Regarding the mandatory indexing of names, FBI officials stated that\nthe VCF will facilitate indexing on various web-based documents by\nproviding data fields in searchable databases. The index of data fields,\nexcept for narrative fields, will be automatically created once the document\nis approved and entered into the VCF. Agents and analysts can then search\nthe index of data fields by using search screens or viewing the serialized\ndocument.\n\n      Regarding training, FBI officials said that they increased the\nACS system training for veteran agents and have plans in place to train FBI\nemployees and task force members on the VCF. Additionally, the FBI\ncontinues to offer training on the \xe2\x80\x9cRomanization\xe2\x80\x9d of foreign names, including\nthose in Arabic and Chinese.\n\n       Despite the FBI\xe2\x80\x99s progress in taking corrective actions, a more\ncomprehensive enterprise-wide solution to the underlying deficiencies will\nnot occur until the VCF is implemented. As a result, some of these\ndeficiencies have gone uncorrected for over three years.\n\n(c) McVeigh Report\n\n      In March 2002, the OIG issued a report entitled, \xe2\x80\x9cAn Investigation of\nthe Belated Production of Documents in the Oklahoma City Bombing\nCase\xe2\x80\x9d (McVeigh). This report analyzed the causes for the belated production\nof many documents in the Oklahoma City bombing case.\n\n      The McVeigh report concluded that the belated production of case-\nrelated documents resulted in part from the following long-standing\nproblems at the FBI: (1) antiquated and inefficient computer systems,\n\n                                    - xv \xe2\x80\x93\n\x0c(2) inattention to information management, and (3) inadequate quality\ncontrol systems. The report further stated that the FBI\xe2\x80\x99s troubled\ninformation management systems were likely to have a continuing negative\neffect on the FBI\xe2\x80\x99s ability to properly investigate crimes.\n\n       The report stated that the FBI had not given sufficient attention to\ncorrecting deficiencies in information management and the ACS system. The\nfindings of the report relating to information technology showed that the\nACS system is extraordinarily difficult to use, has significant deficiencies, and\nis not suitable for the FBI in the 21st century. The report noted that\ninefficiencies and complexities with the ACS system, combined with the lack\nof a true information management system, were significant factors in the\nFBI\xe2\x80\x99s failure to provide hundreds of investigative documents to the\ndefendants in the Oklahoma City bombing case. To overcome these\nproblems, the report made recommendations on how future information\nsystems should be developed.\n\n       The McVeigh report provided 21 recommendations to the FBI,\n15 of which directly related to IT. Eleven of the fifteen recommendations\npertain to correcting deficiencies associated with the FBI\xe2\x80\x99s investigative\nsystems, including the tracking of leads and other records management\npolicies. FBI officials have stated that the VCF, when implemented, will\naddress these 11 recommendations.\n\n        In May 2003, FBI officials stated that agents will be required to use the\nVCF, since all official case records and files (up to the Secret level) will be\nwithin the application. According to the FBI, unlike the currently used ACS\nsystem, agents will not be able to circumvent the use of the VCF. However,\nthe FBI still has not finalized its policies for how agents will utilize VCF from\nremote locations. Additionally, the VCF has only been approved for use up\nto the Secret classification level, so Top Secret and Sensitive\nCompartmented Information (SCI) records will still be maintained in a SCI\nfacility.\n\n      FBI officials stated that the VCF will streamline the workflow process\nby including electronic signatures and reducing the number of required\nforms. Under the FBI\xe2\x80\x99s current investigative process, a case file is started by\nusing one of the FBI\xe2\x80\x99s many different standardized forms. The use of these\nforms will be replaced by the \xe2\x80\x9cintake\xe2\x80\x9d function of the VCF, which will simplify\nthe initiation of a case file by eliminating the use of these forms. As a result,\nthe VCF will essentially replace all paper copies of investigative events.\n\n\n\n                                     - xvi \xe2\x80\x93\n\x0c       According to FBI officials, the VCF will operate in a \xe2\x80\x9cpoint-and-click\xe2\x80\x9d\nweb environment that will simplify the FBI\xe2\x80\x99s workflow process for document\nstorage and retrieval. Further, FBI officials told us that the VCF\xe2\x80\x99s automated\ndocument creation, receipt, and management system will partially eliminate\nthe need for traditional tracking systems. The VCF will include capabilities to\nscan into the case file any documents received from sources external to the\nFBI, as well as to capture summary descriptions of any documents and\nitems, such as physical evidence, that cannot be stored electronically. The\nFBI\xe2\x80\x99s intent is to eventually track external items through a bar code\nidentification system that would be placed upon a physical label on the\nexternal document and then linked to an electronic record. Additionally, FBI\nofficials said that the Records Management Division (RMD) is establishing\nsystems and processes to effectively track documents and records contained\nin FBI systems.\n\n       While the VCF will consolidate five of the FBI\xe2\x80\x99s investigative\napplications, FBI officials recognize that the VCF is only a starting point since\nnumerous other investigative and application systems exist that could be\nintegrated into the VCF. Additionally, because of unresolved connectivity\nissues, crisis management software may still need to be used by agents\nafter the initial deployment of the VCF. The FBI is identifying and defining\nother databases and crisis management software that should be included in\nfuture VCF releases to maximize the efficiency of the workflow process. FBI\nofficials told us that additional funding will be needed to solve the\nconnectivity issues at remote locations, as well as consolidate and eliminate\nother databases and crisis management software.\n\n      We believe the FBI has demonstrated progress toward implementing\nthese recommendations in the McVeigh report, based on its corrective\nactions taken to date and its plans for the VCF. However, 11 of these\nrecommendations remain open since the adequacy of the FBI\xe2\x80\x99s corrective\nactions cannot be determined until the VCF has been completed. Because\nthe FBI\xe2\x80\x99s ability to implement many IT recommendations and improve its IT\nprogram depends on the successful implementation of the VCF, the following\nsections discuss the factors affecting the success of the VCF.\n\n(d) Factors Affecting the Success of the VCF\n\n       In our judgment, if the VCF can do what the FBI expects, it will\nrepresent a significant technological advancement from the ACS system.\nThe VCF has the potential to reduce redundancy in searching multiple\ndatabases, improve the FBI\xe2\x80\x99s case file management, and maximize the use\nof information in the FBI\xe2\x80\x99s possession.\n\n                                     - xvii \xe2\x80\x93\n\x0c       While the VCF has the potential to significantly improve the FBI\xe2\x80\x99s\ninformation technology, as well as its record management and investigative\nefficiency, the ultimate success of VCF depends on a number of different\nfactors, including whether the VCF will meet its technical and performance\nexpectations and be accepted and used by FBI employees.\n\n      1. Technical and Performance Expectations of the VCF\n\n       To ensure its success, the VCF must meet technical and performance\nexpectations. As mentioned above, the Trilogy project has encountered\nsignificant cost overruns and schedule delays due to the FBI not following\ncritical management processes. The OIG\xe2\x80\x99s ITIM report stated that these\nmanagement problems contributed to difficulties with establishing the\ntechnical requirements for the VCF. Because the VCF is focused on making\nsignificant changes to five of the FBI\xe2\x80\x99s investigative systems, documentation\nfor the exact configuration of these legacy systems was critical to designing\nthe requirements for the VCF. Lack of documentation for the configuration\nof these five investigative systems caused the FBI to engage in a process of\nreverse engineering, which is trying to determine the structure and\ncomponents of the systems after deployment. Because the FBI had to\nperform reverse engineering on five systems, there are limitations as to how\nrapidly the VCF can be developed and deployed.\n\n      As of April 2003, the FBI was still defining the technical requirements\nfor the second and third releases of the VCF. Because the technical\nrequirements had not yet been finalized and funding has not been approved,\nbaselines for the VCF had not been established. We believe that the lack of\ntechnical, cost, and schedule baselines not only creates uncertainties for how\nmuch the VCF will cost and when it will be completed, but also how it will\nperform upon implementation.\n\n      2. Acceptance and Use of the VCF\n\n      If the VCF is to be a vehicle for moving the FBI\xe2\x80\x99s information\nmanagement into the 21st century, it must be accepted and used throughout\nthe FBI. Historically, the FBI has been a paper-driven organization. A goal\nof the VCF is to move toward a near paperless environment so the FBI can\nmaximize the use of technology to digitally capture information for data\nmanagement and control. According to FBI officials, the VCF is the first real\nchange in the FBI\xe2\x80\x99s workflow and processes that originated in the 1950\xe2\x80\x99s.\nDirector Mueller recently stated that \xe2\x80\x9cTrilogy [VCF] will change the FBI\nculture from paper to electronic.\xe2\x80\x9d\n\n                                   - xviii \xe2\x80\x93\n\x0c      As noted in the Campaign Finance and McVeigh reports, special agents\ndid not always use the ACS system to manage their case files. For\nvarious reasons, they found alternative ways to manage case files. The VCF\nmust be used by all special agents for the FBI to fully realize its benefits.\n\n       FBI officials told us that since the VCF will contain the official case\nfiles, agents will have to use it since there will be no other acceptable means\nto manage case files. However, FBI officials also acknowledged that because\nof unresolved connectivity issues at remote locations, agents may still need\nto use crisis management software such as Rapid Start.\n\nB. Other Reports Relating to the FBI\xe2\x80\x99s IT Program\n\n       Three GAO reports that we examined also noted deficiencies with\ncertain aspects of the FBI\xe2\x80\x99s IT program. The first report, entitled\n\xe2\x80\x9cGun Control: Implementation of the National Instant Criminal Background\nCheck System,\xe2\x80\x9d stated in 1999 that the FBI did not properly accredit and\ncertify the IT system. We later found that the system subsequently was\ncertified and accredited on March 31, 2000. The second GAO report, entitled\n\xe2\x80\x9cCampaign Finance Task Force: Problems and Disagreements Initially\nHampered Justice\xe2\x80\x99s Investigation,\xe2\x80\x9d stated in 1999 that the FBI lacked an\nadequate information system that could manage and interrelate the\nevidence that had been gathered in relation the Campaign Task Force\xe2\x80\x99s\ninvestigations. These deficiencies were similar to those reported by the\nOIG\xe2\x80\x99s Campaign Finance report. The third report, entitled \xe2\x80\x9cEnterprise\nArchitecture Use Across the Federal Government Can Be Improved,\xe2\x80\x9d stated\nin 2002 that the FBI lacked a foundation for managing an enterprise\narchitecture. The recently released OIG ITIM report reiterated the\nimportance of having an established enterprise architecture when developing\nan IT investment management process. Although these GAO reports did not\ninclude any FBI IT-related recommendations, the reports provide further\nsupport that previously identified deficiencies continue to affect the FBI.\n\n      Other entities have also issued reports in recent years that include\nanalyses of the FBI\xe2\x80\x99s IT management. One report relating to IT security was\nissued by the Webster Commission in March 2002, entitled \xe2\x80\x9cA Review of FBI\nSecurity Programs.\xe2\x80\x9d The Commission, chaired by former FBI Director William\nH. Webster, was established to review the FBI\xe2\x80\x99s security practices in light of\nthe espionage by FBI Supervisory Special Agent Robert Hanssen.\n\n\n\n\n                                    - xix \xe2\x80\x93\n\x0c    The report identified a wide range of problems affecting the FBI\xe2\x80\x99s\ncomputer systems and information security policies, including:\n\n      \xe2\x80\xa2 Classified information had been moved into systems not\n        properly accredited for protection of classified information.\n\n      \xe2\x80\xa2   Until recently, the FBI had not begun to certify and accredit most of\n          its computer systems, including many classified systems.\n\n      \xe2\x80\xa2   Inadequate physical protections placed electronically stored\n          information at risk of compromise.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s approach to system design had been deficient because it\n          had failed to ascertain the security requirements of the \xe2\x80\x9cowners\xe2\x80\x9d of\n          information on its systems and identify the threats and\n          vulnerabilities that must be countered.\n\n      \xe2\x80\xa2   Classified information stored on some of the FBI\xe2\x80\x99s most widely\n          utilized systems was not adequately protected because computer\n          users lacked sufficient guidance about critical security features.\n\n      \xe2\x80\xa2   Some FBI inspectors had insufficient resources to perform required\n          audits, and when audits were performed, audit logs were reviewed\n          sporadically, if at all.\n\n      The Webster Commission\xe2\x80\x99s report concluded that these findings\nresulted from the FBI\xe2\x80\x99s lack of attention to IT security in developing and\nmanaging computer systems.\n\nC. FBI\xe2\x80\x99s Process for Following-Up on Recommendations\n\n       Until recently, the FBI had not implemented an effective system of\nmanagement controls to ensure that recommendations are resolved and\nimplemented in a timely and consistent manner. FBI personnel told us that\nwhile a formal process to track and resolve recommendations did not exist\nprior to September 2002, an informal process was used. Upon the final\nissuance of an OIG or GAO report containing recommendations, the\nrecommendations were forwarded to the various FBI Divisions. Someone\nwithin the Division was then assigned to respond to the recommendations\nuntil closure occurred. The FBI recognized that this informal process was\nnot sufficient to ensure corrective actions were timely and responsive.\nSpecifically, the FBI officials acknowledged that the informal process:\n\n\n                                     - xx \xe2\x80\x93\n\x0c     \xe2\x80\xa2   was not documented in formal policies and procedures,\n\n     \xe2\x80\xa2   was not adequately monitored by executive management and not\n         kept up-to-date,\n\n     \xe2\x80\xa2   used multiple applications,\n\n     \xe2\x80\xa2   did not keep measures of timeliness and responsiveness, and\n\n     \xe2\x80\xa2   did not provide for sufficient follow-up once the original response or\n         corrective action plan was submitted.\n\n       According to the Deputy Assistant Director of the Inspection Division,\nhigh turnover within FBI management also contributed to problems with\nmaintaining current responses to OIG and GAO reports. Under the informal\nprocess, when individuals left the FBI or were reassigned within the FBI,\ntheir replacements were not always made aware of recommendations or\nrequests that were left pending. As a result, responses to recommendations\nand any related corrective action were often delayed, and the auditing or\ninvestigating agency had to again request a response to its\nrecommendations.\n\n        The FBI recognized that improvements in its system of managing\nfollow-up were needed to resolve and timely implement recommendations\nresulting from OIG and GAO reports. In September 2002, the FBI\xe2\x80\x99s\nInspection Division began to establish a new management process to\nimprove the FBI\xe2\x80\x99s timeliness and responsiveness of corrective actions\nresulting from OIG and GAO recommendations and to bring the FBI in\ncompliance with applicable regulations (OMB Circular A-50 and DOJ Order\n2900.6A) for the follow-up and resolution of audit recommendations. To\nfacilitate the implementation of this new management process, the\nInspection Division developed a database, referred to as the \xe2\x80\x9cAutomated\nResponse and Compliance System\xe2\x80\x9d (ARCS). According to FBI\ndocumentation, ARCS is an automated tool that is intended to:\n\n     \xe2\x80\xa2   document and track audits and data requests from OIG, GAO, and\n         others;\n\n     \xe2\x80\xa2   track OIG and GAO audits, investigations, and reviews until closure;\n         and\n\n\n\n\n                                    - xxi \xe2\x80\x93\n\x0c      \xe2\x80\xa2   provide status information to FBI\xe2\x80\x99s executive management on, or\n          close to, a real time basis.\n\n      The FBI\xe2\x80\x99s new database tracks the receipt and resolution of audits,\ninvestigations, and data requests from OIG, GAO, and others. It also tracks\nthe tasks associated with FBI\xe2\x80\x99s current engineering efforts. Among its\nfunctions, the database is intended to provide information to FBI managers\non a regular basis to keep them informed of a report\xe2\x80\x99s progress and to\nensure timely implementation of recommendations. However, this database\ndoes not include vulnerabilities generated by system audits required by\nGISRA. The FBI\xe2\x80\x99s Information Assurance Section has taken steps to develop\na separate database to manage the status of system audit vulnerabilities.\n\n       In conjunction with the development of the ARCS database, the FBI\nhas also developed policies and procedures for the Inspection Division\xe2\x80\x99s\nresponsibilities for resolving OIG and GAO reports. These policies and\nprocedures require the Inspection Division to assign a liaison for each report\nwith outstanding recommendations or for scheduled audits and reviews. The\nliaison has the primary responsibility for entering information into the\ndatabase, including deadlines for when tasks should be completed. The\nliaison also has the responsibility to ensure that the report is assigned to a\n\xe2\x80\x9cproject manager\xe2\x80\x9d \xe2\x80\x93 who ensures that all tasks are assigned to appropriate\nFBI personnel. This control ensures that appropriate FBI personnel can be\nheld accountable for taking timely corrective actions. The liaison monitors\nthe completion of tasks and is instructed to send periodic e-mail notices\nwhen tasks are near their due date or past due. Additionally, Inspection\nDivision management reviews the activities of the liaisons to ensure that\nthey are adequately monitoring their assigned projects.\n\n       FBI officials said that the database, which is maintained on the FBI\xe2\x80\x99s\nintranet, generates reports for senior FBI management on upcoming\nsuspense dates. For example, FBI Deputy Directors are required to perform\nquarterly reviews on their Division\xe2\x80\x99s progress in completing outstanding\ntasks. According to FBI officials, the Inspection Division Assistant Director\nuses reports generated by the ARCS database to discuss outstanding tasks\nat weekly executive meetings, which are attended by FBI Assistant\nDirectors, Executive Assistant Directors, and the Director. These and other\nreports have been periodically forwarded to the Director, upon his request.\nFBI officials told us that the Director has taken a particular interest in the\ntimeliness and responsiveness of the FBI\xe2\x80\x99s corrective actions, re-engineering\nefforts, and responses to Congressional requests. The Director asks to be\nnotified, especially with regard to high profile reviews, when the FBI has not\nbeen timely and responsive in its planned actions.\n\n                                   - xxii \xe2\x80\x93\n\x0c       While the FBI\xe2\x80\x99s database can be a useful tool for the FBI\xe2\x80\x99s\nestablishment of a management process directed toward improving the\ntimeliness and responsiveness of its corrective actions, the ultimate\neffectiveness of this system depends on formal and consistent oversight\nfrom senior FBI management. Thus far, however, the FBI has not\npromulgated written directives FBI-wide that instruct program managers and\nsenior officials (outside of the Inspection Division) regarding their obligation\nto take corrective actions that will close recommendations. In our judgment,\nthe FBI must develop and institute a formal written process that requires\nsenior management oversight over the timeliness and responsiveness of\nrecommendations. These written procedures should also incorporate the\npolicies for tracking the status of vulnerabilities generated by system audits.\n\n3. OIG Recommendations\n\n      In this report, we make three recommendations for the FBI to improve\nits implementation of IT recommendations. These recommendations are:\n\n      \xe2\x80\xa2   Develop, document, and implement Bureau-wide procedures to\n          follow-up and close audit and investigative recommendations\n          (including those generated from system audits), in accordance with\n          OMB Circular A-50 and DOJ Order 2900.6A.\n\n      \xe2\x80\xa2   Ensure that the ARCS database is complete and includes\n          recommendations from all sources of OIG audits and special\n          reviews.\n\n      \xe2\x80\xa2   Demonstrate through the timely closure of OIG audit and other\n          recommendations that managers are being held accountable for\n          taking corrective actions.\n\n\n\n\n                                    - xxiii \xe2\x80\x93\n\x0c                               TABLE OF CONTENTS\n\n\nINTRODUCTION ............................................................................1\n1.   Background...........................................................................1\n2.   Reports on the FBI\xe2\x80\x99s IT ...........................................................2\n3.   Policies and Procedures for Following-Up on Report\n     Recommendations..................................................................3\n\nOIG FINDINGS AND RECOMMENDATIONS..........................................5\n1.   OIG Reports on the FBI\xe2\x80\x99s IT .....................................................5\n     A. Report on the FBI\xe2\x80\x99s ADP Controls .........................................6\n     B. Report on the FBI\xe2\x80\x99s IT Investment Management .....................8\n     C. Reports on the FBI\xe2\x80\x99s Control Environment over its Financial IT\n        Systems ......................................................................... 11\n     D. Computer Security Reports in Response to GISRA ................ 39\n     E. Reports on OIG Special Investigations of the FBI.................. 53\n2.   FBI\xe2\x80\x99s Process for Following-Up on Recommendations................. 69\n3.   Summary .......................................................................... 73\n4.   Recommendations................................................................ 75\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS .......... 76\n\nSTATEMENT ON MANAGEMENT CONTROLS ...................................... 77\n\nAPPENDIX 1: OBJECTIVES, SCOPE, AND METHODOLOGY .................. 78\n\nAPPENDIX 2: THE FBI\xe2\x80\x99S PROGRESS TOWARD IMPLEMENTING\n            IT RECOMMENDATIONS............................................ 80\n\nAPPENDIX 3: OTHER REPORTS RELATING TO THE FBI\xe2\x80\x99S IT\n            PROGRAM............................................................. 132\n\nAPPENDIX 4: GLOSSARY OF ABBREVIATIONS AND ACRONYMS........ 139\n\nAPPENDIX 5: FBI\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT................... 141\n\nAPPENDIX 6: OIG, AUDIT DIVISION ANALYSES AND\n            SUMMARY OF ACTIONS NECESSARY TO\n            CLOSE REPORT...................................................... 145\n\x0c                                  INTRODUCTION\n\n1. Background\n\n      The Federal Bureau of Investigation (FBI) is the principal investigative\narm of the Department of Justice (DOJ). To execute its responsibilities, the\nFBI\xe2\x80\x99s Headquarters in Washington, D.C. provides program direction and\nsupport services to 56 field offices, approximately 400 satellite offices known\nas resident agencies, and more than 40 foreign liaison posts.\n\n      As of April 2003, the FBI had over 11,000 special agents and over\n16,000 other employees who performed professional, administrative,\ntechnical, clerical, craft, trade, or maintenance operations. The FBI\xe2\x80\x99s budget\nauthority was nearly $4.3 billion for FY 2003.9 Of this budget authority,\n$606 million was allocated to information technology (IT) projects.\n\n       The terrorist attacks of September 11, 2001, prompted the Attorney\nGeneral to make counterterrorism the DOJ\xe2\x80\x99s highest priority. The DOJ\nreflected these new priorities in its Strategic Plan for FYs 2001 \xe2\x80\x93 2006, which\nwas issued in November 2001. In the Strategic Plan, the Attorney General\nrecognized that the fight against terrorism requires the DOJ \xe2\x80\x9cto improve the\nintegrity and security of its computer systems and make more effective use\nof information technology.\xe2\x80\x9d\n\n      Additionally, in July 2002, the DOJ released an IT Strategic Plan that\nincluded the following goals:\n\n      \xe2\x80\xa2    sharing information quickly, easily and appropriately \xe2\x80\x94 inside and\n           outside the DOJ;\n\n      \xe2\x80\xa2    securing and protecting information;\n\n      \xe2\x80\xa2    providing reliable, trusted, and cost-effective IT services; and\n\n      \xe2\x80\xa2    using IT to improve program effectiveness and performance.\n\n\n\n\n      9\n          This figure excludes Federal Retiree and Health Benefit Costs.\n\n                                            -1\xe2\x80\x93\n\x0c      To meet these goals, the DOJ\xe2\x80\x99s IT Strategic Plan focuses on four key\nareas considered to be the building blocks of the IT program: (1) IT\ninfrastructure, (2) information security, (3) common solutions,10 and\n(4) management roles and processes.11\n\n      In response to the DOJ\xe2\x80\x99s new priorities following September 11, 2001,\nthe FBI proposed fundamental changes in its strategic priorities and business\npractices. In May 2002, the Director of the FBI announced a major\nreorganization that dedicates more resources to the prevention of terrorism.\nAlthough the core missions of the FBI remain intact, the changes are\nintended to transform the Bureau\xe2\x80\x99s role from reactive to preventive. To\naccomplish this transition, FBI officials repeatedly have told Congress that\nnew and improved IT is required to support a redesigned and refocused FBI.\nIn testimony before the Senate Judiciary Committee on June 6, 2002, the\nDirector released the FBI\xe2\x80\x99s top ten priorities in the post-September 11 era,\nwith the number one priority being protecting the United States from\nterrorist attacks. Number ten on the list of priorities is upgrading technology\nto successfully perform the FBI\xe2\x80\x99s mission. Clearly, the FBI\xe2\x80\x99s future ability to\nprevent terrorism and other crimes depends on modern information\ntechnology and effective management of technology.\n\n2. Reports on the FBI\xe2\x80\x99s IT\n\n      Because of the significance of IT to the FBI\xe2\x80\x99s mission-critical activities,\nthe Office of Inspector General (OIG) has issued numerous audits and\nspecial reviews over the past 12 years relating to the Bureau\xe2\x80\x99s IT\nmanagement processes. These reports resulted from reviews of the FBI\xe2\x80\x99s\ninternal controls of financial IT systems, compliance with the Government\nInformation Security Reform Act (GISRA), and management of IT\ninvestments.\n\n\n\n\n       10\n          According to the DOJ\xe2\x80\x99s IT Strategic Plan, common solutions help to achieve\nimproved collaboration, secured information sharing, and work simplification through the\nuse of shared applications and databases.\n       11\n          According to the DOJ\xe2\x80\x99s IT Strategic Plan, management roles and processes refer\nto the DOJ\xe2\x80\x99s Chief Information Officer\xe2\x80\x99s responsibilities, which include: promulgating\ndepartmental IT policies, processes, and standards; formulating departmental IT strategic\nplans; developing, implementing, and maintaining an enterprise architecture; developing\nguidance for, reviewing, and making recommendations concerning, component IT budget\nrequests; reviewing and monitoring the design and implementation of major IT projects;\nand providing shared departmental services.\n\n                                          -2\xe2\x80\x93\n\x0c      Additionally, the OIG has conducted special reviews that considered\nthe FBI\xe2\x80\x99s use of computer applications in its investigative activities. Both the\nOIG audit and special review reports have highlighted many IT deficiencies\nat the FBI and have provided recommendations directed toward improving\nthose vulnerabilities.\n\n      Other entities (such as the General Accounting Office (GAO), private\ncontractors, Congressional committees, and specially formed commissions)\nhave conducted reviews that discuss the FBI\xe2\x80\x99s IT management practices, but\ndo not necessarily contain IT-related recommendations. While the focus of\nour audit was to assess the FBI\xe2\x80\x99s progress in implementing IT\nrecommendations, in Appendix 3 of this report we discuss the findings of\nreports issued by the GAO and the Commission for the Review of FBI\nSecurity Programs (Webster Commission) due to their relevance to the FBI\xe2\x80\x99s\nIT program.12\n\n3. Policies and Procedures for Following-Up on Report\n   Recommendations\n\n       The Office of Management and Budget (OMB) and DOJ have issued\npolicies and procedures for following-up on recommendations of audit\nreports. According to OMB Circular A-50, audit follow-up is an integral part\nof good management, and is a shared responsibility of agency management\nofficials and auditors. Corrective action taken by management on resolved\nfindings and recommendations is essential to improving the effectiveness\nand efficiency of government operations. OMB Circular A-50 requires\nagencies to establish systems to assure the prompt and proper resolution\nand implementation of audit recommendations. These systems are to\nprovide for a complete record of action taken on both monetary and\nnon-monetary findings and recommendations.\n\n      The DOJ issued Order 2900.6A, Audit Follow-Up and Resolution, to\nestablish the Departmental policies and criteria for the follow-up and\nresolution of audit findings and recommendations, to ensure that all OIG\naudit reports are adequately and timely resolved, and that all resolution\nactions are consistent with the governing laws and regulations. The order\nstates that DOJ components should assign a high priority to the immediate\nimplementation of the order so that the DOJ will be in full compliance with\nthe legislative and regulatory requirements pertaining to the timely\n\n\n      12\n          In March 2002, the Webster Commission issued its report entitled, \xe2\x80\x9cA Review of\nFBI Security Programs.\xe2\x80\x9d\n\n                                          -3\xe2\x80\x93\n\x0cresolution of audits.\n\n      The order also states that the heads of DOJ components are\nresponsible for overall audit resolution and follow-up activities within their\norganizations and are accountable to the Deputy Attorney General. Further,\nDOJ components should establish an audit follow-up and resolution system\nthat ensures written comments on audit findings and recommendations are\nmade within a 4-month period.\n\n      OIG audit reports generally contain recommendations that have a\nstatus of either open or closed. Open recommendations should be\nresolved13 within six months of the final report issuance date.\nRecommendations are closed by the OIG when the OIG is satisfied that the\ncomponent has taken the agreed upon corrective actions, or when the\ncorrective action is waived. To determine if the agreed upon corrective\nactions were taken, the OIG may request that FBI officials provide\ndocumentation demonstrating that the stated corrective actions were\ncompleted. In other cases, the OIG may perform additional review to verify\nthat the stated corrective actions were taken. Although subjective, the\ntimeliness of corrective actions is assessed on a recommendation-by-\nrecommendation basis due to the inherent difficulties associated with\nimplementing certain recommendations.\n\n       Upon issuing other OIG reports that also contain recommendations,\nsuch as special investigations or reviews, the OIG elicits responses from\ncomponents regarding planned corrective actions. When received by the\nOIG, the responses are reviewed to determine whether the planned\ncorrective actions meet the intent of the recommendations. Periodically, the\nOIG makes inquiries with components to monitor the implementation of\nthese actions. However, as with audit reports, component management is\nultimately responsible for ensuring that recommendations are implemented\nin a timely manner.\n\n\n\n\n       13\n         The OIG considers a recommendation to be \xe2\x80\x9cresolved\xe2\x80\x9d when agreement is\nreached with the component on the corrective actions that will be necessary to close the\nrecommendation.\n                                           -4\xe2\x80\x93\n\x0c           OIG FINDINGS AND RECOMMENDATIONS\n\n     Since 1990, OIG reports have found numerous deficiencies with\n     the FBI\xe2\x80\x99s IT program, including outdated infrastructures,\n     fragmented management, ineffective systems, and inadequate\n     training. While the FBI has implemented many of the OIG\xe2\x80\x99s IT\n     recommendations (93 out of 148), significant further actions are\n     necessary to ensure that the FBI\xe2\x80\x99s IT program effectively\n     supports its mission. Recent audits and reviews conducted by\n     the OIG have found repeated deficiencies in the FBI\xe2\x80\x99s IT control\n     environment and compliance with information security\n     requirements. These repeated deficiencies illustrate that, in the\n     past, FBI management had not paid sufficient attention to\n     improving its IT program. Until recently, the FBI lacked a\n     system of management controls to ensure that\n     recommendations issued by the OIG were implemented in a\n     timely and consistent manner. Inadequate progress toward\n     implementing IT recommendations and correcting deficiencies\n     contributed to breaches in computer security and failures in\n     mission-critical investigative activities. However, current FBI\n     leadership has stated that they are committed to enhancing\n     controls to ensure recommendations are implemented in a\n     consistent and timely manner, and the FBI recently established a\n     system to facilitate the tracking and implementation of\n     recommendations. Additionally, the FBI expects significant\n     improvements from its current IT modernization efforts, which\n     the FBI believes will correct many of the deficiencies identified\n     by the OIG.\n\n1. OIG Reports on the FBI\xe2\x80\x99s IT\n\n      To assess the FBI\xe2\x80\x99s progress in implementing recommendations\ndirected toward improving its information technology, this audit examined\nthe following OIG reports that considered the FBI\xe2\x80\x99s use and management of\nIT:\n\n     \xe2\x80\xa2   the 1990 report on the FBI\xe2\x80\x99s automated data processing (ADP)\n         controls,\n\n     \xe2\x80\xa2   the 2002 report on the FBI\xe2\x80\x99s IT investment management (ITIM),\n\n\n\n\n                                   -5\xe2\x80\x93\n\x0c      \xe2\x80\xa2    five reports issued for FYs 1996 through 2001 on the FBI\xe2\x80\x99s control\n           environment over its financial IT systems,14\n\n      \xe2\x80\xa2    three reports issued for FYs 2001 and 2002 specific to the FBI\xe2\x80\x99s\n           compliance with GISRA, and\n\n      \xe2\x80\xa2    two special review reports issued in 1999 and 2002 that contained\n           FBI IT-related recommendations.\n\n       Although the FBI made measurable progress in implementing the\nOIG\xe2\x80\x99s IT recommendations contained in these reports (93 out of 148), it still\nmust take significant actions to achieve a successful IT program. For the\nrecommendations we examined, we assessed the status of the\nrecommendations (whether open or closed). To accomplish our assessment,\nwe reviewed the latest available correspondence between the OIG and FBI\nregarding actions required to close recommendations, and made inquiries\nwith FBI officials.15 We considered recommendations with a closed status to\nbe implemented, based on the OIG\xe2\x80\x99s judgment that the requirements of the\nrecommendation were met. As a result, we considered closed\nrecommendations to be an indicator of the FBI\xe2\x80\x99s progress in addressing\ndeficiencies. Yet, while closed recommendations can be an indicator of\nprogress, the underlying deficiency may re-appear in future audits and\nreviews.\n\n      The following sections provide background information on these\nreports and an assessment of the FBI\xe2\x80\x99s progress toward implementing IT-\nrelated recommendations contained in them.16\n\nA. Report on the FBI\xe2\x80\x99s ADP Controls\n\n      In 1990, the OIG issued a report entitled, \xe2\x80\x9cThe FBI\xe2\x80\x99s Automatic Data\nProcessing General Controls.\xe2\x80\x9d The objectives of the audit were to determine\nwhether the ADP general controls: (1) had been designed according to\nmanagement direction and known legal requirements; and (2) were\noperating effectively to provide reliability of, and security over, the data\nbeing processed.\n\n\n      14\n           The OIG issued one report for FYs 1996 and 1997.\n      15\n           Unless otherwise noted, our review of correspondence was as of April 2003.\n      16\n           The OIG recommendations that we examine are listed in Appendix 2. Appendix 2\nalso shows the status of the recommendations (whether open or closed), and a summary of\nthe FBI\xe2\x80\x99s progress toward implementing the recommendations.\n                                           -6\xe2\x80\x93\n\x0c(1) Background on Report Findings\n\n        This report found 11 major internal control weaknesses, many of which\nstill exist today. Specifically, the report found the following.\n\n      1. The FBI\xe2\x80\x99s phased implementation of its 10-year Long Range\n         Automation Strategy, scheduled for completion in 1990, was\n         severely behind schedule.\n\n      2. The FBI\xe2\x80\x99s Information Resources Management program was\n         fragmented and ineffective, and the FBI\xe2\x80\x99s Information Resources\n         Management official did not have effective organization-wide\n         authority.\n\n      3. The FBI had not developed and implemented a data architecture.\n\n      4. The FBI had not adequately involved top management in\n         FBI Headquarters (FBIHQ) or the field offices in systems\n         development through an Executive Review Committee.\n\n      5. The FBI\xe2\x80\x99s major mainframe investigative systems were labor\n         intensive, complex, untimely, and non-user friendly and few\n         special agents used these systems.\n\n(2) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n      As discussed in more detail in the following section, the\nDecember 2002 OIG report entitled, \xe2\x80\x9cThe FBI\xe2\x80\x99s Management of IT\nInvestments,\xe2\x80\x9d noted that many of the weaknesses identified in the\n1990 report on ADP controls still existed 12 years later. Regarding the first\nweakness, the FBI\xe2\x80\x99s IT infrastructure is still severely outdated. Regarding\nthe second weakness, the FBI has completed several restructurings,\nincluding one in February 2002 that was intended to give the Information\nResources Management program more authority over the divisions that\nmanage IT. Regarding the third weakness, the FBI is still developing an\nenterprise architecture framework, which includes the technical or data\narchitecture. Regarding the fourth weakness, the FBI did not formally\nestablish IT investment review boards or committees until March 2002.\nRegarding the fifth weakness, the FBI\xe2\x80\x99s major investigative systems remain\nlabor intensive, complex, non-user friendly, and many special agents do not\nuse these systems.\n\n\n\n                                    -7\xe2\x80\x93\n\x0cB. Report on the FBI\xe2\x80\x99s IT Investment Management\n\n      In December 2002, the OIG issued a report entitled,\n\xe2\x80\x9cThe FBI\xe2\x80\x99s Management of IT Investments.\xe2\x80\x9d The objectives of the audit\nwere to: (1) determine whether the FBI was effectively managing its IT\ninvestments; and (2) assess the FBI\xe2\x80\x99s IT-related strategic planning and\nperformance measurement activities.\n\n(1) Background on Report Findings\n\n      The OIG concluded that the FBI had not effectively managed its IT\ninvestments because it had not fully implemented the management\nprocesses associated with successful IT investments. As discussed in the\nITIM report, the foundation for sound IT investment management includes\nthe following fundamental elements:\n\n     \xe2\x80\xa2   defining and developing IT investment boards,\n\n     \xe2\x80\xa2   following a disciplined process of tracking and overseeing each\n         project\xe2\x80\x99s cost and schedule milestones over time,\n\n     \xe2\x80\xa2   identifying existing IT systems and projects,\n\n     \xe2\x80\xa2   identifying the business needs for each IT project, and\n\n     \xe2\x80\xa2   using defined processes to select new IT project proposals.\n\n       The FBI failed to implement these critical processes. The FBI did not\nhave a fully-functional investment review board operation because the FBI\ndid not provide adequate resources for operating the IT investment boards.\nSpecifically, the OIG found insufficient evidence to demonstrate that:\n(1) executives and line managers supported and carried out IT investment\nboard decisions and (2) board members understood the board\xe2\x80\x99s policies and\nprocedures and were knowledgeable in using the IT investment approach\nthrough training, education, or experience. Additionally, the FBI did not\nprovide ample time to adequately prepare and train IT board members prior\nto initiating the pilot test of its recently developed ITIM process. This\nresulted in inadequate training of board members and insufficient time to\ndevelop IT proposals. For example, Technical Review Board members had\nonly three business days to review over 50 IT proposals prior to their first\nboard meeting.\n\n\n\n                                    -8\xe2\x80\x93\n\x0c      The OIG also found that the FBI was not effectively overseeing its IT\nprojects. For example, while the FBI had issued project management\nguidance, the guidance was not being followed consistently. The OIG\nobtained differing answers from the FBI as to which document represented\nthe official project management guidance.\n\n       Because the FBI had not fully implemented the critical processes\nassociated with effective IT investment management, the report concluded\nthat the FBI continued to spend hundreds of millions of dollars on IT projects\nwithout adequate assurance that these projects would meet their intended\ngoals.\n\n      The OIG concluded that these shortcomings primarily resulted from a\nlack of management attention in the past to IT investment management.\nHowever, the FBI has recognized that its past methods for managing IT\nprojects have been deficient, and the FBI committed to changing those\npractices. In January 2002, the FBI developed a conceptual model for\nselecting, controlling, and evaluating IT investments. The model seeks to\ndefine a process that will promote a Bureau-wide perspective on IT\ninvestment management, so that only IT projects with the highest\nprobability of improving mission performance are selected. Further, the\nprocess is intended to provide the methods, structures, disciplines, and\nmanagement framework that govern how IT projects are controlled and\nevaluated.\n\n     In addition to developing a conceptual model for a new IT investment\nmanagement process, in early 2002 the FBI began a pilot test of the new\nprocess for the selection of IT proposals. The OIG found that the FBI made\nimprovements during the pilot testing of the new selection process.\nPursuant to the new process, the FBI created three IT investment review\nboards that reviewed IT proposals for technical compliance and \xe2\x80\x9cmission fit.\xe2\x80\x9d\nThese boards, comprised of the FBI Director, FBI executives, and FBI IT\nmanagers, selected new IT proposals for inclusion in the FY 2004 budget\nrequest.\n\n      The OIG ITIM report concluded that while the FBI had made efforts to\nimprove its IT investment management practices, the FBI must take further\nactions to ensure that it can implement the fundamental processes\nnecessary to build an IT investment foundation, as well as the more mature\nprocesses associated with highly effective IT investment management.\nThese actions include:\n\n\n\n                                    -9\xe2\x80\x93\n\x0c      \xe2\x80\xa2   fully developing and documenting its new IT investment\n          management process \xe2\x80\x93 which is necessary to completely implement\n          the activities defined in the FBI\xe2\x80\x99s conceptual model;\n\n      \xe2\x80\xa2   requiring increased participation from IT program managers and\n          users \xe2\x80\x93 which is necessary to ensure senior management\n          acceptance and foster understanding and institutionalization of the\n          IT investment management process; and\n\n      \xe2\x80\xa2   further developing the FBI\xe2\x80\x99s project management and enterprise\n          architecture functions \xe2\x80\x93 which is necessary to execute the control\n          and evaluate components of the IT investment management\n          process as well as advance its investment management capability.\n\n       The ITIM report also included a review of the FBI\xe2\x80\x99s management of\nTrilogy, the FBI\xe2\x80\x99s largest and most critical IT modernization project. The\nreport noted that the lack of critical IT investment management processes\ncontributed to missed milestones and led to uncertainties about cost,\nschedule, and technical goals. Specifically, despite $78 million in additional\nfunding, the FBI missed its July 2002 milestone date for completing the\nphysical IT infrastructure upgrades to field offices, including new computer\nhardware and networks. In addition, the user application (Virtual Case File)\ncomponent of Trilogy, recognized by FBI officials as the most important\naspect of the project in terms of improving agent performance, was at high\nrisk of not being completed within the funding levels appropriated by\nCongress.\n\n      The ITIM report also concluded that the FBI\xe2\x80\x99s IT strategic planning and\nIT performance measurement was inadequate. The FBI's strategic plan did\nnot include goals for IT investment management, and the FBI\xe2\x80\x99s strategic\nplan and performance plan were not consistent with the DOJ\xe2\x80\x99s annual\nperformance plan.\n\n(2) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       The ITIM report contained 30 recommendations directed toward\nimproving the FBI\xe2\x80\x99s management of its IT investments. Because the ITIM\nreport was issued in December 2002, too little time had passed (as of\nApril 2003) to enable us to assess the FBI\xe2\x80\x99s progress in implementing the\nrecommendations identified in that report.\n\n\n\n\n                                    - 10 \xe2\x80\x93\n\x0c       While FBI management has stated that improving technology is a high\npriority, the ITIM report demonstrates that the FBI must take significant\naction to implement a successful IT program that fully supports its mission.\nIt also demonstrates that a successful IT program depends on effective\nmanagement control processes. Without effective management controls in\nplace, major projects designed to improve technology, such as Trilogy, may\nnot deliver their intended benefits on schedule and on budget. The following\nsection discusses in more detail OIG findings and recommendations related\nto the FBI\xe2\x80\x99s control environment over its IT systems.\n\nC.   Reports on the FBI\xe2\x80\x99s Control Environment over its Financial IT\n     Systems\n\n      The OIG conducts annual financial statement audits of the FBI, with\nthe most recent report covering FY 2001. To support these financial\nstatement audits, the OIG performs detailed reviews of the FBI\xe2\x80\x99s control\nenvironment over its financial IT systems. Financial statement audits are\nintended to play a central role in (1) providing more reliable and useful\nfinancial information to decision-makers, and (2) improving the adequacy of\ninternal controls and underlying financial management systems.\n\n      In FY 1996, the OIG began conducting annual reviews of the FBI\xe2\x80\x99s\ninternal controls over IT systems using the GAO\xe2\x80\x99s Federal Information\nSystem Controls Audit Manual (FISCAM). The FISCAM describes the\ncomputer-related controls that auditors should consider when assessing the\nintegrity, confidentiality, and availability of computerized data.\n\n      The general methodology applied to assess computer-related controls\nrequires auditors and reviewers to evaluate:\n\n      \xe2\x80\xa2   general controls at the entity or installation level;\n\n      \xe2\x80\xa2   general controls as they are applied to the applications being\n          examined, such as a payroll system or a loan accounting system;\n          and\n\n      \xe2\x80\xa2   application controls, which are the controls over input, processing,\n          and output of data associated with individual applications.\n\n\n\n\n                                      - 11 \xe2\x80\x93\n\x0c       According to the FISCAM, general controls are the policies and\nprocedures that apply to all or a large segment of an entity\xe2\x80\x99s information\nsystems and help ensure their proper operation. Examples of primary\nobjectives for general controls are to safeguard data, protect computer\napplication programs, prevent system software from unauthorized access,\nand ensure continued computer operations in case of unexpected\ninterruptions. The FISCAM provides six categories for assessing the\neffectiveness of general controls. These categories are:\n\n      \xe2\x80\xa2   entity-wide security program planning and management\n          controls,\n\n      \xe2\x80\xa2   access controls,\n\n      \xe2\x80\xa2   application software development and change controls,\n\n      \xe2\x80\xa2   system software controls,\n\n      \xe2\x80\xa2   segregation of duty controls, and\n\n      \xe2\x80\xa2   service continuity controls.\n\n      The effectiveness of general controls is a significant factor in\ndetermining the effectiveness of application controls. Without effective\ngeneral controls, application controls may be rendered ineffective by\ncircumvention or modification.\n\n       Application controls are directly related to individual computerized\napplications. These controls help ensure that transactions are valid, properly\nauthorized, and completely and accurately processed and reported. Both\ngeneral and application controls must be effective to help ensure the\nreliability, appropriate confidentiality, and availability of critical automated\ninformation.\n\n      The nature and extent of audit procedures required to assess\ncomputer-related controls varies depending on the audit objectives and\nother factors. If general controls are not operating effectively, the\napplication-level controls are generally not tested. However, if an audit\nobjective is to identify control weaknesses with an application where more\nemployees may have the potential to take advantage of a weakness, an\nassessment of the application controls may be appropriate.\n\n\n\n                                      - 12 \xe2\x80\x93\n\x0c      During the course of these IT reviews, the OIG grouped the\nvulnerabilities and weaknesses found into the following categories defined by\nGovernment Auditing Standards and the American Institute of Certified\nPublic Accountants.\n\n      \xe2\x80\xa2    Reportable Conditions \xe2\x80\x94 matters coming to the auditors\xe2\x80\x99 attention\n           that, in their judgment, should be communicated because they\n           represent significant deficiencies in the design or operation of\n           internal control, which could adversely affect the organization\xe2\x80\x99s\n           ability to record, process, summarize, and report financial data\n           consistent with the assertions of management in the financial\n           statements.\n\n      \xe2\x80\xa2    Material Weaknesses \xe2\x80\x94 reportable conditions in which the design or\n           operation of one or more of the internal control components does\n           not reduce to a relatively low level the risk that misstatements\n           caused by error or fraud in amounts that would be material in\n           relation to the financial statements being audited may occur and\n           not be detected by employees in the normal course of performing\n           their assigned functions.17\n\n      As of April 2003, the OIG had issued reports for FYs 1996 through\n2001 that indicated consistent weaknesses in the FBI\xe2\x80\x99s general and\napplication controls. However, we found that the FBI had made progress in\ncorrecting deficiencies associated with the control environment over its\nfinancial IT systems. Of the 105 recommendations contained in the detailed\nreports supporting the financial statement audits from FYs 1996 to 2001, 83\nhave been implemented and closed, and 22 are still open. Of the 22 open\nrecommendations, 13 correspond to material weaknesses in the FBI\xe2\x80\x99s IT\nmanagement controls, indicating that without compensating controls\nthere is an increased risk that material misstatements to the financial\nstatements will not be detected.\n\n       We concluded that while the FBI has made some progress, it must\ntake further action to enhance its controls over its IT environment. As of\nApril 2003, material weaknesses and other control vulnerabilities remained\nin each of the FISCAM general control areas, except for system software.\nThe following sections provide further details on each of these control\ncategories, the weaknesses noted in these control categories, as well as the\nFBI\xe2\x80\x99s progress toward correcting the weaknesses.\n\n      17\n          A third category of vulnerabilities are management letter comments, which the\nOIG considers to be a reportable matter that does not meet the criteria of a reportable\ncondition or material weakness.\n                                         - 13 \xe2\x80\x93\n\x0c(1) Entity-Wide Security Program Planning and Management\n    Controls\n\n      According to the FISCAM, an entity-wide process for security program\nplanning and management is the foundation of an organization\xe2\x80\x99s security\ncontrol structure and a reflection of senior management\xe2\x80\x99s commitment to\naddressing security risks. The security program should establish a\nframework and a continuing cycle of activity for assessing risk,\ndeveloping and implementing effective security procedures, and monitoring\nthe effectiveness of these procedures.\n\n      According to the FISCAM, without a well-designed security program,\nsecurity controls may be inadequate; responsibilities may be unclear,\nmisunderstood, and improperly implemented; and controls may be\ninconsistently applied. Such conditions may lead to insufficient protection of\nsensitive or critical resources and disproportionately high expenditures for\ncontrols over low-risk resources.\n\n(a) Background of Entity-Wide Security Program Planning and\n    Management Control Findings\n\n      Reviews of the FBI\xe2\x80\x99s general computer controls for FYs 1996 through\n2001 included repeated deficiencies pertaining to entity-wide security\nprogram planning and management controls. During the FY 1998 review,\nthe OIG reported that the Payroll System did not have a security plan. That\ncondition was reported again during the FY 1999 review. Additionally, the\nOIG reported in FY 2000 that a security plan had been written, but it did not\naddress (1) specific rules of behavior, (2) training, and (3) the rules of the\nsystem. Further, the OIG reported in FY 2001 that the plan did not address\nan incident response capability, rules of behavior, and system\ninterconnection. These reports for FYs 1998 through 2001 also stated that\nvulnerabilities existed because FBI management did not thoroughly review\nthe FBI\xe2\x80\x99s \xe2\x80\x9cPayroll System Security Plan\xe2\x80\x9d that was written by a contractor.\n\n      As of April 2003, the deficiencies associated with the FBI\xe2\x80\x99s security\nprogram plans were considered to be a material weakness. The OIG made\neight recommendations in the reviews for FYs 1996 through 2001 that were\ndirected toward correcting the identified security program planning and\nmanagement control vulnerabilities. Four of these recommendations were\nrepeated in more than one year\xe2\x80\x99s report.\n\n\n\n                                    - 14 \xe2\x80\x93\n\x0c(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n      Since FY 1996, the FBI has made progress in correcting the\nvulnerabilities in its entity-wide security planning and management controls.\nSix of the eight recommendations were closed as of April 2003, while the\nother two remained open. Of the six recommendations that were\nimplemented, four were last reported by the OIG as material weaknesses,\nwhile the other two were reportable conditions. The following table\nsummarizes how the open and closed recommendations correspond to the\nreported vulnerability.\n\nSummary of Open and Closed Entity-Wide Program Planning and\n   Management Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 2                        4               6\nReportable\nCondition                0                        2               2\nManagement\nLetter\nComment                  0                        0               0\n         Total           2                        6               8\nSource: OIG analyses as of April 2003\n\n      By implementing six of the recommendations, the FBI improved its\nentity-wide security program planning and management controls by:\n\n      \xe2\x80\xa2   taking steps to clearly assign, identify, and communicate\n          information security responsibilities (reportable condition);\n\n      \xe2\x80\xa2   allocating sufficient resources to ensure the proper implementation\n          of its Automated Data Processing and Telecommunications (ADPT)\n          policy (reportable condition);\n\n      \xe2\x80\xa2   ensuring that risk assessments of the FBI Headquarters Data\n          Center, its other supporting systems, and all major applications are\n          conducted as required by OMB Circular A-130 and by the FBI\xe2\x80\x99s\n          Manual of Investigative Operations and Guidelines\n          (material weakness);\n\n      \xe2\x80\xa2   ensuring that the systems and applications are accredited every\n          three years (material weakness);\n\n\n                                         - 15 \xe2\x80\x93\n\x0c     \xe2\x80\xa2    renewing the interim accreditation for general control systems and\n          major applications (material weakness); and\n\n     \xe2\x80\xa2    improving security and application controls by determining which of\n          its systems are classified as \xe2\x80\x9cmajor applications\xe2\x80\x9d\n          (material weakness).\n\n      Despite the progress, additional corrective actions are necessary to\nmitigate the remaining weaknesses. Specifically, the FBI must still ensure\nthat:\n\n     \xe2\x80\xa2    the ADPT security plans are completed appropriately\n          (material weakness), and\n\n     \xe2\x80\xa2    the Payroll System Security Plan incorporates an incident response\n          capability and rules of behavior (material weakness).\n\n      Regarding the completion of ADPT security plans, the OIG first\nrecommended this action in the FY 1998 report, and has since repeated it in\nthe FY 1999, 2000, and 2001 reports because the FBI\xe2\x80\x99s corrective actions to\ndate have been inadequate. Without an approved security plan, the\nintegrity of sensitive information maintained by the FBI is at risk of being\ncompromised.\n\n(2) Access Controls\n\n(a) Background of Access Control Findings\n\n      Reviews of the FBI\xe2\x80\x99s general computer controls for FYs 1996 through\n2001 included repeated deficiencies pertaining to access controls. The\naccess control findings discussed in the FY 2001 report were considered to\nbe a material weakness of the FBI. In the reviews for FYs 1996 through\n2001, the OIG made 42 recommendations that were directed toward\ncorrecting the identified access control vulnerabilities.18 Ten of these\nrecommendations were repeated in subsequent reports.\n\n\n\n\n     18\n          These recommendations are listed in Appendix 2.\n                                        - 16 \xe2\x80\x93\n\x0c      The OIG\xe2\x80\x99s most recent report, covering FY 2001, stated that there\nwere two findings associated with access controls: (1) auditing controls over\nthe local area network (LAN), and (2) excessive access privileges granted to\nsystems programmers.\n\n      1. Auditing Controls Over the Local Area Network\n\n       The OIG\xe2\x80\x99s review for FY 1998 reported that an automated tool was\nused to assess the technical controls over the FBI\xe2\x80\x99s Finance Division LANs.\nThe assessment found weaknesses in three areas of security: account\nrestrictions, system monitoring, and data confidentiality.\n\n      In FY 1999, another automated tool was used to perform the\nassessment of the technical controls over the FBI\xe2\x80\x99s Finance Division LANs.\nAlthough corrective action had been initiated on the prior weaknesses found,\nthe OIG reported that these weaknesses still existed during FY 1999. The\nFY 2000 report stated that auditing remained disabled on the Finance\nDivision\xe2\x80\x99s Windows NT and Novell NetWare environments.\n\n      According to the OIG FY 2001 review, although FBI management had\nindicated that corrective actions have been taken with respect to the\nrecommended settings, the conditions continued to be identified during the\nannual financial statement audit process. The FY 2001 report further stated\nthat the cause for this weakness was the Finance Division LAN\nadministrators not fully implementing the FBI\xe2\x80\x99s audit policy on logical access\ncontrols on their Windows NT and NetWare LANs.\n\n      2. Excessive Access Privileges Granted to Systems\n         Programmers\n\n      The FY 2001 report stated that access control profiles were not\nconfigured to restrict access to sensitive database utilities and payroll files.\nSpecifically, the report noted instances where three systems programmers\nhad access to database utilities and had full control of the payroll and Oracle\ndatasets. The FY 2001 report further stated that the cause was due to the\nFBI granting systems programmer profiles to database programmers, thus\nproviding them with unnecessary access to sensitive utilities. The OIG also\nreported in FY 2001 that the FBI\xe2\x80\x99s Systems Programming and Integration\nUnit (SPIU) was in the process of developing a database programmer profile\nthat would provide access control to the needed datasets.\n\n\n\n\n                                     - 17 \xe2\x80\x93\n\x0c(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n      The FBI has made progress in correcting the vulnerabilities in this\nFISCAM category area since FY 1996. Of the 42 recommendations, 32 were\nclosed as of April 2003, while the other 10 remained open. Of the 32\nrecommendations that were implemented, 15 were last reported by the OIG\nas material weaknesses, 13 were reportable conditions, and 4 were\nmanagement letter comments. The following table summarizes how the\nopen and closed recommendations correspond to the reported vulnerability.\n\n Summary of Open and Closed Access Control Recommendations by\n                      Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 5                        15              20\nReportable\nCondition                5                        13              18\nManagement\nLetter\nComment                  0                         4              4\n         Total          10                        32             42\nSource: OIG analyses as of April 2003\n\n     By implementing 32 of the recommendations, the FBI improved its\naccess control environment. These improvements included:\n\n      \xe2\x80\xa2   establishing procedures that require new users to immediately\n          change their initial password (reportable condition);\n\n      \xe2\x80\xa2   reviewing user access to sensitive system files\n          (reportable condition);\n\n      \xe2\x80\xa2   establishing and distributing procedures requiring local security\n          administrators to periodically, at least quarterly, review employees\xe2\x80\x99\n          access privileges in relation to their current job functions\n          (reportable condition);\n\n      \xe2\x80\xa2   deleting users that no longer require access to the network or do\n          not have a demonstrated need for their access (material\n          weakness); and\n\n      \xe2\x80\xa2   requiring all system administrators to change their passwords at\n          least every 30 days (material weakness).\n                                         - 18 \xe2\x80\x93\n\x0c     Despite the progress made, additional corrective actions are\nnecessary to mitigate the remaining weaknesses. Specifically, the FBI still\nmust ensure that:\n\n      \xe2\x80\xa2   an entity-wide data assessment of network systems is periodically\n          performed to determine where potential vulnerabilities exist\n          (reportable condition);\n\n      \xe2\x80\xa2   user authentication controls are strengthened by an active token for\n          user authentication (reportable condition);\n\n      \xe2\x80\xa2   computer security training is provided to users at least annually\n          (reportable condition);\n\n      \xe2\x80\xa2   policies and procedures for the FBI\xe2\x80\x99s IT environments are complied\n          with (material weakness); and\n\n      \xe2\x80\xa2   the auditing function on the Finance Division\xe2\x80\x99s Netware\n          environment is enabled (material weakness).\n\n      With respect to complying with policies and procedures and enabling\nthe auditing function, the OIG first recommended these actions in the\nFY 1998 report, and has since repeated them in the FY 1999, 2000, and\n2001 reports because the FBI\xe2\x80\x99s corrective actions to date have been\ninadequate. These actions are necessary to reduce the risk of processing\nerroneous or fraudulent transactions, and ensure that there can be a\nreconstruction of events if a system compromise or malfunction occurs.\n\n(3) Application Software Development and Change Controls\n\n       According to the FISCAM, application software is designed to support a\nspecific operation, such as payroll or loan accounting. Typically, several\napplications may operate under one set of operating system software.\nEstablishing controls over the modifications of application software programs\nhelps to ensure that only authorized modifications are implemented.\nWithout proper application software development and change controls, there\nis a risk that security features could be inadvertently or deliberately omitted\nor \xe2\x80\x9cturned off\xe2\x80\x9d or that processing irregularities or malicious code could be\nintroduced.\n\n\n\n\n                                     - 19 \xe2\x80\x93\n\x0c(a) Background of Software Development and Change Control\n    Findings\n\n       Reviews of the FBI\xe2\x80\x99s general computer controls for FYs 1996 through\n2001 included repeated deficiencies pertaining to software development and\nchange control findings. During the FY 2000 review, the OIG noted that\nalthough the FBI had developed a change control manual in July 1997\nentitled \xe2\x80\x9cThe Architecture Change Management (ACM) Plan,\xe2\x80\x9d it did not\naddress changes to the computer-based application and its environment.\nThe OIG also reported in FY 2000 that project managers were not using the\nACM because the procedures set forth by the ACM did not reflect the FBI\xe2\x80\x99s\ncurrent information technology architecture, including recent changes to\nhardware, software, and firmware.\n\n      During the FY 2001 review, the OIG noted that the FBI had\ndocumented a change control process entitled, \xe2\x80\x9cChange Management Rules,\nStandards and Procedures,\xe2\x80\x9d which replaced the ACM. However, this process\nhad not been implemented on the Property Management Application (PMA)\nand the Payroll Application.\n\n      According to the FY 2001 report, the failure to implement the change\nmanagement rules occurred because the FBI\xe2\x80\x99s Quality Configuration and\nMethods Unit (QCMU) did not enforce the Change Management Rules,\nStandards, and Procedures. The FY 2001 report further stated that the Unit\nplans to perform audits of divisions as a means of enforcing the procedures.\nThe OIG reported that this weakness increases the chance that two or more\nindependent changes to the system will conflict with one another and,\nconsequently, the system will not function properly.\n\n      In the reviews for FYs 1996 through 2001, the OIG made eight\nrecommendations that were directed toward correcting the identified system\nsoftware development and change control findings.19 Four of these\nrecommendations were repeated in subsequent reports. As of the issuance\nof the FY 2001 report, the deficiencies associated with the FBI\xe2\x80\x99s software\ndevelopment and change controls were considered to be a material\nweakness.\n\n\n\n\n     19\n          These recommendations are listed in Appendix 2.\n                                        - 20 \xe2\x80\x93\n\x0c(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       Since FY 1996, the FBI has made progress in correcting the software\ndevelopment and change control deficiencies. Six of the eight\nrecommendations pertaining to this FISCAM category were closed as of\nApril 2003, while the other two remained open. Of the six recommendations\nthat were implemented, three were last reported by the OIG as material\nweaknesses, while the other three were management letter comments. The\nfollowing table summarizes how the open and closed recommendations\ncorrespond to the reported vulnerability.\n\nSummary of Open and Closed Application Software Development and\n    Change Control Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 1                        3               4\nReportable\nCondition                0                        0               0\nManagement\nLetter\nComment                  1                        3               4\n         Total           2                        6               8\nSource: OIG analyses as of April 2003\n\n      By implementing six of the recommendations, the FBI improved its\nsoftware development and change controls by:\n\n      \xe2\x80\xa2   developing and maintaining a configuration management process\n          addressing changes to overall ADPT resources (management letter\n          comment);\n\n      \xe2\x80\xa2   expediting the implementation of the ACM methodology\n          entity-wide (management letter comment);\n\n      \xe2\x80\xa2   developing and implementing procedures to ensure all system\n          problems are recorded (management letter comment);\n\n      \xe2\x80\xa2   ensuring that the Information Resources Division enhances the ACM\n          document to comprehensively address any type of change to the\n          computer based application system and its environment (material\n          weakness);\n\n\n\n                                         - 21 \xe2\x80\x93\n\x0c     \xe2\x80\xa2   ensuring that the methodology set forth with the ACM is\n         consistently applied to the Financial Management System\n         application (material weakness); and\n\n     \xe2\x80\xa2   enforcing the emergency change procedures stated within ACM\n         (material weakness).\n\n      Despite the progress made, additional corrective actions are necessary\nto mitigate the remaining weaknesses. Specifically, the FBI must ensure\nthat:\n\n     \xe2\x80\xa2   a policy is developed and implemented requiring periodic\n         independent reviews of all major systems development activities at\n         each major activity milestone (management letter comment); and\n\n     \xe2\x80\xa2   an automated software management system is implemented in\n         order to automate the transfer of all program code necessary to run\n         a system (material weakness).\n\n      Regarding the implementation of an automated software management\nsystem, the OIG first recommended this action in the FY 1996/1997 report,\nand has since repeated it in the FY 1998, 1999, and 2000 reports because\nthe FBI\xe2\x80\x99s corrective actions to date have been inadequate. Change requests\nmaintained in multiple databases increase the risk that the FBI\xe2\x80\x99s Information\nResources Division may not have the most current and accurate status of all\nrequests. Additionally, poor change controls can create risks that inaccurate\nand unauthorized computer changes are implemented into the production\nenvironment. This weakness could cause inaccurate data or loss of data to\nthe application.\n\n(4) System Software Controls\n\n      According to the FISCAM, system software is a set of programs\ndesigned to operate and control the processing activities of computer\nequipment. Generally, one set of system software is used to support and\ncontrol a variety of applications that may run the same computer hardware.\nSystem software helps control and coordinate the input, processing, output,\nand data storage associated with all the applications that run on a system.\nSome system software can change data and program code on files without\nleaving an audit trail.\n\n\n\n\n                                   - 22 \xe2\x80\x93\n\x0c      Controls over access to and modification of system software are\nessential in providing reasonable assurance that operating system-based\nsecurity controls are not compromised and that the system will not be\nimpaired. Inadequate controls over system software could enable\nunauthorized individuals to circumvent security controls to read, modify, or\ndelete critical or sensitive information and programs; authorized users of the\nsystem to gain unauthorized privileges to conduct unauthorized actions; or\nsystem software being used to circumvent edits and other controls built into\napplication programs. Such weaknesses seriously diminish the reliability of\ninformation produced by all of the applications supported by the computer\nsystem and increase the risk of fraud and sabotage.\n\n(a) Background on System Software Control Findings\n\n      The FY 2001 review did not report any material weaknesses associated\nwith system software controls. The most recent vulnerabilities were noted in\nthe FY 2000 and FY 1999 reports.\n\n(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       The FBI has corrected the deficiencies identified in the detailed IT\nreports for FYs 1996 through 2000. The reports for FYs 1996 through 2000\nmade seven recommendations that were directed toward correcting the\nidentified system software control vulnerabilities.20 All seven\nrecommendations pertaining to this FISCAM control category were closed as\nof April 2003. Two of the recommendations were last reported by the OIG\nas material weaknesses, one was a reportable condition, and the remaining\nfour were management letter comments. The following table summarizes\nhow the open and closed recommendations correspond to the reported\nvulnerability.\n\n\n\n\n      20\n           These recommendations are listed in Appendix 2.\n                                         - 23 \xe2\x80\x93\n\x0c          Summary of Open and Closed System Software Control\n               Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 0                        2               2\nReportable\nCondition                0                        1               1\nManagement\nLetter\nComment                  0                        4               4\n         Total           0                        7               7\nSource: OIG analyses as of April 2003\n\n      By implementing the seven recommendations, the FBI improved its\nsystem software control environment as of the issuance of the FY 2001 IT\nreport. Examples of these improvements include:\n\n      \xe2\x80\xa2   performing an analysis to determine which libraries and associated\n          members are necessary for proper system performance\n          (management letter comment);\n\n      \xe2\x80\xa2   implementing procedures to ensure that all system documentation\n          is current and complete and that changes to documentation are\n          reflected timely and disseminated to applicable individuals\n          (management letter comment);\n\n      \xe2\x80\xa2   implementing a system software control policy to ensure that\n          system software is current (management letter comment);\n\n      \xe2\x80\xa2   configuring the parameters in order to log all the associated\n          transactions for the respective System Management Facility records\n          (material weakness); and\n\n      \xe2\x80\xa2   establishing and implementing a formal change control process for\n          changes to system software (reportable condition).\n\n      Regarding the implementation of a formal change control process, the\nOIG first recommended this action in the FY 1996/1997 report, and then\nrepeated it in the FY 1998 and 1999 report before the FBI completed\nadequate corrective action. While no open recommendations pertaining to\nsystem software controls remain for the FYs 1996 through 2001 reports,\ntesting conducted for the FY 2002 review indicates additional vulnerabilities\nexist with system software controls. The FBI\xe2\x80\x99s ability to make lasting\n                                         - 24 \xe2\x80\x93\n\x0cimprovements to its IT control environment depends on a strong\ncommitment from management, rather than short-term fixes that represent\ntemporary progress.\n\n(5) Segregation of Duty Controls\n\n       According to the FISCAM, work responsibilities should be segregated\nso that one individual does not control all critical stages of a process. For\nexample, while users may authorize program changes, programmers should\nnot be allowed to do so because they are not the owners of the system and\ndo not have the responsibility to see that the system meets user needs.\nSimilarly, one computer programmer should not be allowed to independently\nwrite, test, and approve program changes. Often, segregation of duties is\nachieved by splitting responsibilities between two or more organizational\ngroups. Dividing duties among two or more individuals or groups diminishes\nthe likelihood that errors and wrongful acts will go undetected because the\nactivities of one group or individual will serve as a check on the activities of\nthe other.\n\n       Inadequately segregated duties increase the risk that erroneous or\nfraudulent transactions could be processed, that improper program changes\ncould be implemented, and that computer resources could be damaged or\ndestroyed. The extent to which duties are segregated depends on the size\nof the organization and the risk associated with its facilities and activities. A\nlarge organization will have more flexibility in separating key duties than a\nsmall organization that must depend on only a few individuals to perform its\noperation. Smaller organizations may rely more extensively on supervisory\nreview to control activities. Similarly, activities that involve extremely large\ndollar transactions, or are otherwise inherently risky, should be divided\namong several individuals and be subject to relatively extensive supervisory\nreview.\n\n(a) Background on Segregation of Duty Findings\n\n      Reviews of the FBI\xe2\x80\x99s general computer controls for FYs 1996 through\n1998, and 2000 through 2001 included repeated deficiencies pertaining to\nsegregation of duty controls. The OIG made five recommendations in the\nreviews for FYs 1996 through 1998 and 2000 through 2001 that were\ndirected toward correcting the identified segregation of duty vulnerabilities.21\nTwo of these recommendations were repeated in the FY 2001 report.\n\n\n\n      21\n           These recommendations are listed in Appendix 2.\n                                         - 25 \xe2\x80\x93\n\x0c      The FY 2001 report stated that there were three findings associated\nwith segregation of duty controls pertaining to: (1) policies and procedures\nfor segregation of duties, (2) physical and logical controls for segregation of\nduties, and (3) documented procedures for the FBI\xe2\x80\x99s Payroll Application.\n\n      1. Policies and Procedures for Segregation of Duties\n\n      The OIG stated in its FY 2000 report that the FBI has not established\nguidance, policies, procedures, or awareness of segregation of duties within\nthe divisions and units. The result is unclear segregation of job\nresponsibilities. This condition was also reported in the FY 2001 report.\n\n      According to the FY 2001 report, unclear, inconsistent policies and a\nlack of guidelines to separate the units created an environment where duties\noccasionally overlap. As a result, it was difficult to define responsibilities\nbetween the various units within the FBI.\n\n      2. Physical and Logical Controls for Segregation of Duties\n\n      The OIG reported in FY 2000 that application programmers had access\nto both the test and production regions in the PMA and Payroll Application.\nThe FY 2001 report further stated that the application system administrator\nfor the PMA was appropriately granted program update access to the test\nenvironment. However, the application system administrator also could\nmove programs back into the production environment. Specifically, the\nPayroll Application programmers had the ability to move programs (source\ncode) from the library to the test environment, make changes, and move the\nprograms back into the quality assurance environment for testing.\n\n      According to the FY 2001 report, inadequate segregation of duties\nwithin the units and divisions caused application administrators and\nprogrammers to inappropriately be granted access to both the test and\nproduction regions.\n\n      3. Documented Procedures for the Payroll Application\n\n      The FY 2001 report stated that documented procedures do not exist\nfor the Payroll Application\xe2\x80\x99s administrative functions. The report further\nstated that this weakness is caused by the failure to require a consistent\nadministrative process for payroll-related functions by the Payroll\nAdministration and Processing Unit and the Personnel Staffing Unit.\n\n\n\n                                     - 26 \xe2\x80\x93\n\x0c(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       Since FY 1996, the FBI has made progress in correcting deficiencies\nassociated with segregation of duty controls. Four of the five\nrecommendations pertaining to this FISCAM category were closed as of\nApril 2003, while one remained open. Of the four recommendations that\nwere implemented, two were last reported by the OIG as a material\nweakness, while the other two were management letter comments. The\nfollowing table summarizes how the open and closed recommendations\ncorrespond to the reported vulnerability.\n\n            Summary of Open and Closed Segregation of Duty\n               Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 1                        2               3\nReportable\nCondition                0                        0               0\nManagement\nLetter\nComment                  0                        2               2\n         Total           1                        4               5\nSource: OIG analyses as of April 2003\n\n     By implementing four of the recommendations, the FBI improved its\nsegregation of duty controls by:\n\n      \xe2\x80\xa2   assessing the need for additional personnel at the staff level within\n          the data security administrative function\n          (management letter comment);\n\n      \xe2\x80\xa2   performing an analysis of the potential benefits of applying business\n          process re-engineering and/or activitiy-based costing processes to\n          current operations in order to enhance effectiveness, efficiency, and\n          productivity (management letter comment);\n\n      \xe2\x80\xa2   ensuring application administrators and programmers do not have\n          direct update access to both test and production application\n          programs (material weakness); and\n\n      \xe2\x80\xa2   establishing guidance policies, procedures, and awareness of\n          segregation of duties within the divisions and units\n          (material weakness).\n\n                                         - 27 \xe2\x80\x93\n\x0c      Despite the progress made, an additional corrective action is necessary\nto mitigate the remaining weaknesses. Specifically, the FBI still must ensure\nthat the payroll-related functions are documented and maintained to ensure\nthe consistent application of the payroll-related administrative process\n(material weakness).\n\n      Because a segregation of duty deficiency was not corrected as of April\n2003, the FBI is subject to the risk that erroneous transactions could be\nprocessed, improper program changes could be implemented, and computer\nresources could be damaged or destroyed.\n\n(6) Service Continuity Controls\n\n       According to the FISCAM, losing the capability to process, retrieve, and\nprotect information maintained electronically can significantly affect an\nagency\xe2\x80\x99s ability to accomplish its mission. For this reason, an agency should\nhave (1) procedures in place to protect information resources and minimize\nthe risk of unplanned interruptions, and (2) a plan to recover critical\noperations should interruption occur. The procedures and plan should\nconsider the activities performed at general support facilities, such as data\nprocessing centers and telecommunications facilities, as well as the activities\nperformed by the users of specific applications. To determine whether the\nrecovery plan will work as intended, the plan should be tested periodically in\ndisaster simulation exercises.\n\n       Although often referred to as disaster recovery plans, controls to\nensure service continuity should address the entire range of potential\ndisruptions. These disruptions may include relatively minor interruptions,\nsuch as temporary power failures, as well as major disasters, such as fires or\nnatural disasters, that would require reestablishing operations at a remote\nlocation. If controls are inadequate, even relatively minor interruptions can\nresult in lost or incorrectly processed data, which can cause financial losses,\nexpensive recovery efforts, and inaccurate or incomplete financial or\nmanagement information. For some operations, such as those involving\nhealth care or safety, system interruptions could also result in injuries or\nloss of life.\n\n       To mitigate service interruptions, it is essential that the related\ncontrols be understood and supported by management and staff throughout\nthe organization. Senior management commitment is especially important\nto ensure that adequate resources are devoted to emergency planning,\ntraining, and related testing. In addition, all staff with service continuity\n\n                                    - 28 \xe2\x80\x93\n\x0cresponsibilities, such as staff responsible for backing up files, should be fully\naware of the risks if these duties are not fulfilled.\n\n(a) Background on Service Continuity Control Findings\n\n      Reviews of the FBI\xe2\x80\x99s general computer controls for FYs 1996 through\n2000 reported repeated deficiencies pertaining to service continuity controls.\nThe FY 2000 report identified two service continuity findings that were\nincluded in the material weakness. During the FY 2001 review, the OIG did\nnot report any additional service continuity control deficiencies, although\ncertain previously reported material weaknesses remained. These\nweaknesses are discussed below.\n\n       The FY 2000 report stated that the FBI\xe2\x80\x99s Contingency/Disaster\nRecovery Plans did not address specific applications, were incomplete,\noutdated, and did not include requirements such as testing scenarios and\nplans. While the FBI\xe2\x80\x99s Headquarters Data Center unit chief has attempted to\nupdate the plans, the business process owners had not adequately defined\nrisks and critical recovery needs.\n\n      Because of this deficiency, during an extended outage or disaster,\ninformation system processing functions and vital business operations may\nbe damaged and unable to function since critical information and computer\nresources are unavailable or inaccessible.\n\n      Additionally, the OIG reported in FY 1999, and again in FY 2000, that\nData Center employees still had not been trained in disaster recovery,\nemergency, and contingency procedures. Without proper knowledge of\nprocedures and priorities, the staff may be unable to perform critical duties\nto resume operations.\n\n      The reports for FYs 1996 through 2000 made 17 recommendations\nthat were directed toward correcting the identified service continuity control\nvulnerabilities.22 Nine of these recommendations were repeated in\nsubsequent reports.\n\n(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n      Since FY 1996, the FBI has made progress in correcting deficiencies\nassociated with service continuity controls. Of the 17 recommendations\npertaining to this FISCAM category, 15 were closed as of April 2003, while\nthe other two remained open. Of the 15 recommendations that were\n      22\n           These recommendations are listed in Appendix 2.\n                                         - 29 \xe2\x80\x93\n\x0cimplemented, 13 were last reported by the OIG as material weaknesses,\nwhile the remaining 2 were management letter comments. The following\ntable summarizes how the open and closed recommendations correspond to\nthe reported vulnerability.\n\n      Summary of Open and Closed Service Continuity Control\n           Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 2                        13              15\nReportable\nCondition                0                        0               0\nManagement\nLetter\nComment                  0                         2              2\n         Total           2                        15             17\nSource: OIG analyses as of April 2003\n\n      By implementing 15 of the recommendations, the FBI improved its\nservice continuity control environment. Examples of these improvements\ninclude:\n\n      \xe2\x80\xa2   developing procedures to ensure that daily back-up tapes are\n          stored in a fireproof vault that is secure and not located within the\n          immediate Data Center (management letter comment);\n\n      \xe2\x80\xa2   developing a comprehensive contingency plan that provides an\n          entity-wide approach for the recovery of mission-critical data\n          processing operation in the event of a disaster\n          (material weakness);\n\n      \xe2\x80\xa2   assigning responsibility to a team of individuals to ensure full back-\n          up and recovery is performed (material weakness);\n\n      \xe2\x80\xa2   ensuring all data personnel are informed when the ADPT\n          contingency plan has been completed and approved and that\n          employees have access to the plan (material weakness); and\n\n      \xe2\x80\xa2   briefing Data Center personnel on emergency procedures and\n          responsibilities through training sessions and by distributing written\n          policies and procedures (material weakness).\n\n\n\n                                         - 30 \xe2\x80\x93\n\x0c      Despite the progress made, additional corrective actions are necessary\nto mitigate weaknesses previously reported in the FY 1999 and 2000\nreports. The FBI still must:\n\n      \xe2\x80\xa2   continue to update the ADPT contingency plan, addressing the\n          weaknesses identified in the FY 1999 report (material weakness);\n          and\n\n      \xe2\x80\xa2   ensure that the Finance Division has developed and distributed to\n          end-users, a contingency plan covering its information technology\n          applications (material weakness).\n\n       The OIG first recommended in the FY 1999 report that the\nFinance Division develop and distribute a contingency plan covering its IT\napplications. This recommendation was repeated in the FY 2000 report,\nindicating that the FBI had not taken adequate corrective action. Without\neffective service continuity controls, information system processing functions\nand vital business operations may be damaged and unable to function during\nan extended outage or disaster because critical information and computer\nresources could be unavailable or inaccessible.\n\n(7) Application Controls\n\n       According to the FISCAM, application controls are the structure,\npolicies, and procedures that apply to separate, individual application\nsystems such as accounts payable, inventory, payroll, grants, or loans. An\napplication system is typically a collection or group of individual computer\nprograms that relate to a common function. Some applications may be\ncomplex, comprehensive systems involving numerous computer programs\nand organizational units, such as those associated with benefit payment\nsystems.\n\n       Application controls help ensure that transactions are valid, properly\nauthorized, and completely and accurately processed by the computer.\nThese controls are commonly categorized into three phases of a processing\ncycle:\n\n      \xe2\x80\xa2   input \xe2\x80\x94 data is authorized, converted to an automated form, and\n          entered into the application in an accurate, complete, and timely\n          manner;\n\n\n\n\n                                    - 31 \xe2\x80\x93\n\x0c      \xe2\x80\xa2    processing \xe2\x80\x94 data is properly processed by the computer and files\n           are updated correctly; and\n\n      \xe2\x80\xa2    output \xe2\x80\x94 files and reports generated by the application actually\n           occur and accurately reflect the results of processing, and reports\n           are controlled and distributed to the authorized users.\n\n       According to the FISCAM, inadequate application controls can result in\ninvalid, incomplete, or improperly classified data. Additionally, there is a\nheightened risk of inaccurate valuation or allocation of data\nand unauthorized transactions.\n\n(a) Background on Application Control Findings\n\n       Reviews of the FBI\xe2\x80\x99s general computer controls for FYs 1998 through\n2001 included deficiencies in application controls. The FY 2001 report\nreviewed the FBI\xe2\x80\x99s PMA and reported two findings: excessive access\nprivileges were granted over the PMA, and input and processing control\nweaknesses existed on the PMA. The FY 2001 report further stated that\nthese weaknesses occurred because the FBI lacked security oversight to\nmonitor access of all users, and the PMA did not have the appropriate input\nand processing controls built in during its initial design. According to the\nFBI, adding the controls to the application was not a priority due to limited\nPMA resources.\n\n      Because of these application control weaknesses, the PMA allowed\nusers to make unauthorized changes to property data, leading to errors in\nthe property computer application. In the reviews for FYs 1998 through\n2001, the OIG made 15 recommendations to correct the identified\napplication control weaknesses.23\n\n(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       Since FY 1998, the FBI has made progress toward correcting the\nidentified weaknesses. Of the 15 recommendations pertaining to this\nFISCAM category, 10 were closed as of April 2003 while the other\n5 remained open. Of the ten recommendations that were implemented, nine\nwere considered reportable conditions, while one was a material weakness.\nThe following table summarizes how the open and closed recommendations\ncorrespond to the reported vulnerability.\n\n\n\n      23\n           These recommendations are listed in Appendix 2.\n                                         - 32 \xe2\x80\x93\n\x0c            Summary of Open and Closed Application Control\n               Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 2                        1               3\nReportable\nCondition                3                        9               12\nManagement\nLetter\nComment                  0                         0              0\n         Total           5                        10             15\nSource: OIG analyses as of April 2003\n\n      By implementing ten of the recommendations, the FBI improved its\napplication control environment. Examples of these improvements include:\n\n      \xe2\x80\xa2   defining, documenting, and communicating the roles and\n          responsibilities for changing code to the Payroll Application\n          (reportable condition);\n\n      \xe2\x80\xa2   reviewing the list of users having access to code, determining which\n          users should not be making changes in accordance with their\n          duties and responsibilities, and revoking access to users who should\n          not be making changes (reportable condition);\n\n      \xe2\x80\xa2   ensuring that user access to payroll code is authorized,\n          documented, and periodically reviewed (reportable condition);\n\n      \xe2\x80\xa2   adhering to the FBI\xe2\x80\x99s change management processes for\n          applications and system software once formal processes have been\n          developed (reportable condition); and\n\n      \xe2\x80\xa2   reviewing the budgetary module of the Financial Management\n          System (FMS), determining the cause of the application security\n          weakness allowing the transfer of funds beyond an authorized\n          balance, and taking the appropriate measures to ensure adequate\n          controls are in place (material weakness).\n\n\n\n\n                                         - 33 \xe2\x80\x93\n\x0c      Despite the progress made, additional corrective actions are necessary\nto mitigate the remaining weaknesses. Specifically, the FBI must:\n\n     \xe2\x80\xa2    coordinate with the General Services Administration to synchronize\n          file formats so that data sent via Simplified Intergovernmental\n          Buying and Collection will correctly interface with the FMS\n          application (reportable condition);\n\n     \xe2\x80\xa2    ensure the Federal Procurement Data Statistics (FPDS) screen is\n          modified to include all the fields required for accurate procurement\n          reporting (reportable condition);\n\n     \xe2\x80\xa2    remove the additional access capability from any PMA user not\n          authorized or required to have the additional access to complete\n          their job function (material weakness); and\n\n     \xe2\x80\xa2    develop and implement a plan to ensure: (a) input control\n          weaknesses identified in the PMA are appropriately addressed, and\n          (b) the risk associated with the processing control weaknesses in\n          the PMA is mitigated to ensure that all property is entered and\n          purchase order and property numbers are accounted for\n          (material weakness).\n\n      Inadequate input controls on the PMA can lead to errors in the\nproperty data, cause time consuming physical inventory counts and\nreconciliation, and require the Property Management Unit to correct errors in\nthe application data.\n\n(8) Other Financial-Related IT Recommendations\n\n      In the FY 1996/1997 detailed report issued in support of the Financial\nStatement Audit, the OIG provided the FBI with three recommendations not\ncategorized by FISCAM general control areas.24 These recommendations,\nreported as management letter comments, involved the Year 2000 issue,\nstrategic planning, and network encryption. All of the recommendations\nwere closed upon issuance of the final report. The following table\nsummarizes how the closed recommendations correspond to the reported\nvulnerability.\n\n\n\n\n     24\n          These recommendations are listed in Appendix 2.\n                                        - 34 \xe2\x80\x93\n\x0c      Summary of Open and Closed Non-FISCAM Category\n         Recommendations by Vulnerability Type\n\n   Type of      Number of Open          Number of Closed    Total Number of\nVulnerability Recommendations           Recommendations    Recommendations\nMaterial\nWeakness                 0                        0               0\nReportable\nCondition                0                        0               0\nManagement\nLetter\nComment                  0                        3               3\n         Total           0                        3               3\nSource: OIG analyses as of April 2003\n\n      By implementing these recommendations, the FBI:\n\n      \xe2\x80\xa2   provided to the FBI Director monthly briefings on the status of the\n          Year 2000 project (management letter comment);\n\n      \xe2\x80\xa2   developed a strategic plan that includes projects technology\n          spending for a 3 to 5-year period (management letter comment);\n          and\n\n      \xe2\x80\xa2   evaluated encryption alternatives to reduce the risk of\n          compromising sensitive information (management letter comment).\n\n(9) Summary\n\n       The FBI made progress in correcting deficiencies associated with the\ncontrol environment over its IT systems. Of the 105 recommendations\ncontained in the detailed reports supporting the financial statement audits\nfrom FYs 1996 to 2001, 83 have been implemented and closed, and 22 are\nstill open. The following table summarizes the status of the FBI\xe2\x80\x99s IT control\nenvironment recommendations by category.\n\n\n\n\n                                         - 35 \xe2\x80\x93\n\x0c           Status of the FBI\xe2\x80\x99s Financial IT Control Environment\n                 Recommendations by FISCAM Category\n\n                         Number of Open         Number of Closed    Total Number of\n FISCAM Category        Recommendations         Recommendations    Recommendations\n\nEntity-Wide Security\nProgram Planning and\nManagement Controls                 2                     6                8\nAccess Controls                    10                    32               42\nApplication Software\nDevelopment and\nChange Controls                    2                     6                 8\nSystem Software\nControls                           0                     7                 7\nSegregation of Duty\nControls                           1                     4                 5\nService Continuity\nControls                           2                     15               17\nApplication Controls               5                     10               15\nOther Financial-\nRelated IT Areas                    0                     3                3\n                 Total             22                    83               105\nSource: OIG analyses as of April   2003\n\n      Of the 83 recommendations that have been implemented, 40 were\noriginally reported by the OIG as material weaknesses, 25 were reportable\nconditions, and 18 were management letter comments. The following table\nsummarizes how the open and closed recommendations correspond to the\nreported vulnerability.\n\n             Summary of Open and Closed Recommendations\n                         by Vulnerability Type\n   Type of      Number of Open            Number of Closed     Total Number of\nVulnerability Recommendations             Recommendations     Recommendations\nMaterial\nWeakness                13                          40               53\nReportable\nCondition                8                          25               33\nManagement\nLetter\nComment                  1                          18               19\n         Total          22                          83              105\nSource: OIG analyses as of April 2003\n\n\n\n\n                                           - 36 \xe2\x80\x93\n\x0c       By implementing 83 of the 105 recommendations, the FBI improved its\nIT internal control environment. The FY 2001 report did not contain any\nsystem software control deficiencies. The FBI also made progress toward\ncorrecting deficiencies in entity-wide security program planning, access\ncontrols, application software development, segregation of duties, service\ncontinuity, and application controls.\n\n     Despite the progress made, as of April 2003 uncorrected deficiencies\nremained in the following general control areas:\n\n      \xe2\x80\xa2   entity-wide security program planning and management;\n\n      \xe2\x80\xa2   access controls; and\n\n      \xe2\x80\xa2   application software development and change controls.\n\n      In addition to these findings, other vulnerabilities existed in the\nremaining FISCAM control areas (except for system software controls). The\nFBI is at increased risk of failures in its financial management and computer\nsecurity functions. As a result, the FBI must take additional actions to\ncorrect these deficiencies. Also, 13 of the 22 open recommendations related\nto material weaknesses, which suggests that without compensating controls,\nthere is an increased risk that material errors in the financial statements will\nnot be detected.\n\n      We noted that 30 of the open and closed recommendations were\nrepeated in subsequent reports. Further, many of the findings and\nrecommendations noted in these internal control reports of the FBI\xe2\x80\x99s IT\nenvironment were also repeated in audits of the FBI\xe2\x80\x99s compliance with\nGISRA. The following table summarizes the status of recommendations that\nhave been repeated in subsequent OIG reports.\n\n\n\n\n                                     - 37 \xe2\x80\x93\n\x0c    Status of the FBI\xe2\x80\x99s Financial IT Control Environment Repeated\n                    Recommendations by Category\n\n                         Number of Open        Number of Closed    Total Number of\n                        Recommendations        Recommendations        Repeated\n FISCAM Category           Repeated               Repeated        Recommendations\n\nEntity-Wide Security\nProgram Planning and\nManagement Controls                1                  3                   4\nAccess Controls                    3                  7                  10\nApplication Software\nDevelopment and\nChange Controls                    1                  3                  4\nSystem Software\nControls                           0                  1                  1\nSegregation of Duty\nControls                           0                  2                  2\nService Continuity\nControls                           1                  8                  9\nApplication Controls               0                  0                  0\nOther Financial-\nRelated IT Areas                    0                 0                  0\n                 Total              6                24                 30\nSource: OIG analyses as of April   2003\n\n      Because of the uncorrected and repeated deficiencies identified in\nthese reviews, we believe that the FBI\xe2\x80\x99s overall progress in implementing\nfinancial-related IT internal control recommendations has been weak.\nMoreover, FBI management had not consistently responded to OIG inquiries\nabout the status of corrective actions and the FBI lacked an effective\nmanagement process for tracking, responding to, and implementing\nrecommendations. However, during FY 2002, the OIG noted significant\nimprovement in the FBI\xe2\x80\x99s responsiveness to responding to inquiries about\ncorrective actions. During FY 2002, the Inspection Division began\ndeveloping written policies and procedures designed to assist the FBI with its\naudit follow-up responsibilities. Further, the Inspection Division created a\ndatabase to track audit recommendations, responses to the OIG and other\ninquiries, and corrective actions. The FBI\xe2\x80\x99s efforts to improve its audit\nfollow-up responsibilities are discussed in more detail later in this report.\n\n\n\n\n                                          - 38 \xe2\x80\x93\n\x0c       While the Inspection Division has improved the FBI\xe2\x80\x99s responsiveness to\naudit recommendations, the ability of the FBI to correct many of its IT\ndeficiencies ultimately rests with the commitment and actions from senior\nFBI management.\n\nD. Computer Security Reports in Response to GISRA\n\n       The FY 2001 Defense Authorization Act (Public Law 106-398) includes\nTitle X, subtitle G, \xe2\x80\x9cGovernment Information Security Reform Act.\xe2\x80\x9d GISRA\nbecame effective on November 29, 2000, and amended the\nPaperwork Reduction Act of 1995 by enacting a new subchapter on\n\xe2\x80\x9cInformation Security.\xe2\x80\x9d It required federal agencies to:\n\n      \xe2\x80\xa2    perform an annual independent evaluation of their information\n           security practices;\n\n      \xe2\x80\xa2    ensure information security policies are founded on a continuous\n           risk management cycle;\n\n      \xe2\x80\xa2    implement controls that appropriately assess information security\n           risks;\n\n      \xe2\x80\xa2    promote continuing awareness of information security risks;\n\n      \xe2\x80\xa2    continually monitor and evaluate information security policies;\n\n      \xe2\x80\xa2    control effectiveness of information security practices; and\n\n      \xe2\x80\xa2    provide a risk assessment and report on the security needs of the\n           agencies\xe2\x80\x99 systems, and include the report in their budget request to\n           the Office of Management and Budget.\n\n      Beginning in FY 2001, GISRA also required the OIG to independently\nevaluate the DOJ\xe2\x80\x99s information security program and practices. In addition\nto the FISCAM, the OIG used standards provided by the National Institute of\nStandards and Technology (NIST) as the basis for its audit approach.25\n\n\n\n\n      25\n          The NIST is a non-regulatory entity of the U.S. Department of Commerce.\nAccording to the NIST, its mission is to develop and promote measurements, standards, and\ntechnology to enhance productivity, facilitate trade, and improve the quality of life.\n\n                                         - 39 \xe2\x80\x93\n\x0c      The NIST has issued guidance detailing the specific controls that\nshould be documented by federal agencies in their system security plan.26\nThe purpose of the security plan is to provide an overview of the security\nrequirements of the system and describe the controls in place or planned for\nmeeting those requirements. The system security plan also delineates\nresponsibilities and expected behavior of all individuals who access the\nsystem.\n\n      The NIST has separated the security plan controls into three major\ncontrol areas: (1) management controls, (2) operational controls, and\n(3) technical controls. Within each of the three control areas, there are a\nnumber of subordinate categories of controls. For example, technical\ncontrols include password management, logon management, account\nintegrity management, and system auditing management.\n\n      Management controls address security topics that can be characterized\nas managerial. These controls represent techniques and concerns that\nnormally are addressed by management in the organization's computer\nsecurity program. In general, these controls focus on the management of\nthe computer security program and the management of risk within the\norganization.\n\n      Operational controls address security controls that are implemented\nand executed by people (as opposed to systems). These controls are put in\nplace to improve the security of a particular system (or group of systems).\nThese controls often require technical or specialized expertise and rely upon\nmanagement activities as well as technical controls.\n\n      Technical controls focus on security controls that the computer system\nexecutes. These controls are dependent upon the proper functioning of the\nsystem for their effectiveness. The implementation of technical controls,\nhowever, always requires significant operational considerations and\nshould be consistent with the management of security within the\norganization.\n\n      For FY 2001, the OIG selected the FBI\xe2\x80\x99s administrative and\ninvestigative mainframe systems as two of four classified systems it\nreviewed for the GISRA audit. For FY 2002, the OIG selected two FBI\n\n\n\n       26\n          This guidance is contained in the NIST Special Publication 800-18,\n\xe2\x80\x9cGuide for Developing Security Plans for Information Technology Systems.\xe2\x80\x9d\n\n                                          - 40 \xe2\x80\x93\n\x0cinvestigative applications, the Automated Case Support (ACS) system27 and\nthe DRUGX Interactive Trusted Guard,28 as two of three classified systems it\nreviewed. The criteria used for findings and recommendations were based\nupon the guidelines established by the NIST.\n\n(1) FY 2001 GISRA Report\n\n       In May 2002, the OIG issued its FBI GISRA audit report for\nFY 2001. The objective of the audit was to determine DOJ compliance with\nGISRA requirements. The OIG assessed whether adequate computer\nsecurity controls existed to protect DOJ systems from unauthorized use,\nloss, or modification.\n\n       The OIG found that since May 2002, the FBI made progress in\ncorrecting some of the management, operational, and technical control\ndeficiencies that were identified in the report. Of the 23 recommendations\ncontained in the GISRA report, 6 have been implemented and closed, and\n17 are still open.\n\n      Despite the progress made, the FBI must take further action to\nenhance these controls. As of April 2003, vulnerabilities remained in the\nsecurity controls of the FBI\xe2\x80\x99s administrative and mainframe IT systems.\nThe following sections provide details on: (1) the background of the\nFY 2001 GISRA report findings related to management, operational, and\ntechnical controls; and (2) the FBI\xe2\x80\x99s progress in taking corrective actions.\n\n\n\n\n       27\n           The FBI uses the ACS system, which resides on the FBI\xe2\x80\x99s investigative mainframe,\nto store information related to FBI investigations and cases, including criminal and\nintelligence cases. The system allows FBI personnel to open and assign cases, set and\nassign leads, store text of documents, index, search, and retrieve these documents.\n       28\n           The FBI uses the Drug Enforcement Administration (DEA) DRUGX application to\nshare information on current drug investigations. This application was a DOJ joint agency\neffort involving the FBI and the DEA. The DRUGX Investigative trusted guard (DRUGX\ntrusted guard) permits FBI personnel interactive one-way access to the DRUGX application\nvia the FBI\xe2\x80\x99s network. Access to the DRUGX application provides FBI investigative\npersonnel with query access to basic information concerning current drug investigations\nbeing conducted by the FBI and the DEA. The purpose of a trusted guard system is to\nprovide a secure interconnection between two computer systems or networks, each of which\noperates at a different classification level.\n\n                                         - 41 \xe2\x80\x93\n\x0c(a) Background on Management Control Findings\n\n      The FY 2001 GISRA report identified management control\nvulnerabilities with enforcement of security policies, procedures, standards,\nand guidelines governing the FBI\xe2\x80\x99s administrative and investigative\nmainframes. The report stated that although the FBI has established\nsecurity policies, procedures, standards, and guidelines, management failed\nto ensure that they were performed and enforced. The report made six\nrecommendations that were directed toward correcting the identified\nmanagement control vulnerabilities.29\n\n(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       The FBI has made progress in correcting management control\nweaknesses since the report was issued in May 2002. Two of the six\nrecommendations pertaining to management controls were closed, while the\nother four remain open as of April 2003. The recommendations that were\nclosed related to (1) defining and documenting all criticality levels used to\nclassify applications, and (2) documenting a corrective action plan to\naddress the vulnerabilities identified in the risk analyses for the investigative\nand administrative mainframe systems.30\n\n      Despite the progress made, additional actions are necessary to\nmitigate the remaining management control vulnerabilities. Specifically, the\nFBI still must demonstrate that it is:\n\n       \xe2\x80\xa2    distributing, obtaining, and maintaining signed statements of end-\n            users\xe2\x80\x99 acceptance of the Automated Information System\n            Rules of Behavior for the investigative and administrative\n            mainframe systems;\n\n       \xe2\x80\xa2    ensuring that the Management of Investigative Operations and\n            Guidelines (MIOG) and other FBI security policies reflect the\n            evolving systems environment and are enforced;\n\n       \xe2\x80\xa2    obtaining a full accreditation for the investigative and administrative\n            mainframe systems from the FBI\xe2\x80\x99s approving authority \xe2\x80\x94 a\n            conditional accreditation should be unacceptable; and\n       29\n            These recommendations are listed in Appendix 2.\n       30\n           According to NIST Special Publication 800-18, information stored within,\nprocessed by, or transmitted by a system provides for the value of the system and is one of\nthe major factors in risk management, making the criticality of system applications\xe2\x80\x99\ndefinitions essential.\n                                          - 42 \xe2\x80\x93\n\x0c      \xe2\x80\xa2     conducting annual refresher computer training for all employees.\n\n      The OIG in its FYs 1998 and 2000 reports on the FBI\xe2\x80\x99s control\nenvironment over its financial-related IT systems reported findings on\nsecurity policies, procedures, standards, and guidelines. Accordingly, the\nOIG made recommendations in its FY 1998 (recommendation 15) and FY\n2000 (recommendation 1) reports that were similar to the recommendations\nmade in the FY 2001 GISRA report. These recommendations remained open\nas of April 2003. Additionally, four of the six GISRA recommendations\npertaining to management control issues remained open as of April 2003.\nAs a result, we believe that the FBI has not taken adequate corrective\nactions to reduce the potential for sensitive information from being\ncompromised, lost, misused, or altered without authorization.\n\n(c) Background on Operational Control Findings\n\n      The FY 2001 GISRA report identified operational control vulnerabilities\nwith physical controls and system and network backup and restoration\ncontrols. The report stated that vulnerabilities existed because FBI\nmanagement: (1) did not enforce physical controls at FBI Headquarters,\nand (2) had not taken the necessary steps to identify priorities of the system\nfor restoration or to ensure Data Center personnel were aware of and tested\nappropriate contingency planning and backup procedures. The report made\nfour recommendations directed toward correcting the identified operational\ncontrol vulnerabilities.31\n\n(d) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       The FBI has made progress in correcting operational control\nweaknesses since the report was issued in May 2002. Two of the four\nrecommendations pertaining to operational controls were closed as of\nApril 2003, while the other two remain open. The recommendations that\nwere closed related to (1) restricting physical access to all wiring closets,\nand (2) establishing optimal operating system capacities and implementing\nprocedures to alleviate the near capacity usage.\n\n\n\n\n      31\n           (U) These recommendations are listed in Appendix 2.\n                                          - 43 \xe2\x80\x93\n\x0c      Despite the progress made, additional actions are necessary to\nmitigate the remaining operational control vulnerabilities. Specifically, the\nFBI must:\n\n      \xe2\x80\xa2   document procedures for identifying and restoring mission-critical\n          systems; and\n\n      \xe2\x80\xa2   complete the production test exercise involving the transfer of\n          production operations and applications to the backup site and\n          training Data Center staff for this contingency control.\n\n      The OIG in its FYs 1999 and 2000 reports on the FBI\xe2\x80\x99s control\nenvironment over its financial-related IT systems reported findings in system\nand network backup and in restoration controls. Accordingly, the OIG made\nseven recommendations in its FY 1999 report (recommendations 23 and\n25-31) and three recommendations in its FY 2000 report (recommendations\n13-15) that were similar to the recommendations made in the FY 2001\nGISRA report. Because two of the four GISRA recommendations pertaining\nto operational controls remained open as of April 2003, we conclude that the\nFBI has not demonstrated that adequate corrective action was taken to\nreduce the potential for failed restoration procedures or unexpected loss or\ndisruption of services.\n\n(e) Background on Technical Control Findings\n\n      The FY 2001 GISRA report identified technical control vulnerabilities\nwith password management, logon management, account integrity\nmanagement, system auditing management, and system patches. The\nreport stated that vulnerabilities existed because of the following.\n\n      \xe2\x80\xa2   FBI management did not ensure that operating systems\xe2\x80\x99 password\n          settings were appropriate and DOJ security policies were being\n          followed.\n\n      \xe2\x80\xa2   FBI security management did not implement logon management\n          controls or provide oversight to ensure DOJ and FBI security\n          policies were followed.\n\n      \xe2\x80\xa2   Budgetary constraints have prevented the FBI from being able to\n          implement automated software change controls. Additionally, the\n          FBI had not established procedures consistent with its security\n          policy or updated them to reflect its current information technology\n          environment.\n\n\n                                     - 44 \xe2\x80\x93\n\x0c      \xe2\x80\xa2   Security parameters were not appropriately set to enable auditing.\n\n      \xe2\x80\xa2   FBI management had not taken the necessary measures to ensure\n          proper safeguards were in place to prevent unauthorized access,\n          loss, or misuse to the system.\n\n      The report made 13 recommendations that were directed toward\ncorrecting the identified technical control vulnerabilities.\n\n(f) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       The FBI has made limited progress in correcting technical control\nweaknesses since the report was issued in May 2002. Two of the\n13 recommendations pertaining to technical controls were closed as of\nApril 2003, while the other 11 remained open. The closed recommendations\nrelated to: (1) fully implementing and using the System Access Request\nfunction to document user logon and verify that user access is\ncommensurate with assigned responsibilities, and (2) ensuring that the\ncommunication carrier signals are not connected to unencrypted network\ndevices.\n\n      Additional actions are necessary to mitigate the remaining technical\ncontrol vulnerabilities. Specifically, the FBI still must demonstrate to the\nOIG that it is:\n\n      \xe2\x80\xa2   implementing and enforcing DOJ password policies by\n          re-setting and monitoring operating system settings accordingly,\n\n      \xe2\x80\xa2   requiring that system administrators periodically review and delete\n          all system accounts that have been unused for more than 90 days,\n\n      \xe2\x80\xa2   enabling account lockout on all systems so that lockout occurs after\n          three unsuccessful logon attempts,\n\n      \xe2\x80\xa2   enforcing the use of the FBI\xe2\x80\x99s Service Center as a centralized\n          approval point to track all change requests from initiation through\n          final disposition,\n\n      \xe2\x80\xa2   implementing the format and content standards for information\n          technology development and maintenance support test plans,\n\n\n\n\n                                     - 45 \xe2\x80\x93\n\x0c      \xe2\x80\xa2    updating the Architecture Change Management Policy to reflect the\n           FBI\xe2\x80\x99s current information application and system software\n           environment,\n\n      \xe2\x80\xa2    documenting procedures to establish the supervisory review\n           process of software change when deviations from normal\n           procedures occur,\n\n      \xe2\x80\xa2    enabling audits to capture the necessary system information to\n           comply with DOJ policy, and\n\n      \xe2\x80\xa2    applying manufacturer patches in a timely manner to prevent\n           system compromise to all network operating systems.\n\n       Additionally, the FBI disagreed with one OIG recommendation in the\nreport, and this recommendation was in an \xe2\x80\x9cunresolved\xe2\x80\x9d status as of\nApril 2003.32 The recommendation relates to enforcing DOJ security policies\nand ensuring sufficient controls for FBI systems to operate.\n\n       Findings with password management, logon management, account\nintegrity management, system auditing management, and system patches\nwere reported by the OIG in its FYs 1996 to 2000 reports on the FBI\xe2\x80\x99s\ncontrol environment over its IT systems. Accordingly, the OIG made one\nrecommendation in its FY 1996/97 report (recommendation 18); three\nrecommendations in its FY 1998 report (recommendations 6, 8, and 21);\nseven recommendations in its FY 1999 (recommendations 6, 8, 10,\n17-19, and 35) and FY 2000 reports (recommendations 2-4, 7, 8, 16, and\n17) that were similar to the recommendations made in the FY 2001 GISRA\nreport. Because 11 of the 13 GISRA recommendations remained open as of\nApril 2003, in our judgment the FBI has not demonstrated that adequate\ncorrective action was taken to reduce the potential for: (1) unauthorized\ndisclosure, unauthorized data modification, and the misuse and abuse of the\nFBI\xe2\x80\x99s automated resources; and (2) critical system data pertaining to\nindividual user accountability, reconstruction of system events, and problem\nidentification to be permanently lost.\n\n\n\n\n      32\n            Appendix 2 provides more detail on the FBI\xe2\x80\x99s response to the unresolved\nrecommendation. Unresolved recommendations occur when the component disagrees with\nall or part of the finding.\n                                      - 46 \xe2\x80\x93\n\x0c(g) Summary\n\n      The FBI made limited progress in correcting deficiencies reported in\nthe OIG FY 2001 GISRA audit. Of the 23 recommendations contained in the\nreport, 6 have been implemented and closed, and 17 remain open. The\nfollowing table summarizes the status of the FBI\xe2\x80\x99s FY 2001 GISRA report\nrecommendations by NIST category.\n\n    Status of the FBI\xe2\x80\x99s FY 2001 GISRA Report Recommendations\n                          by NIST Category\n\n                        Number of Open    Number of Closed     Total Number of\n   NIST Category       Recommendations    Recommendations     Recommendations\nManagement Controls               4              2                     6\nOperational Controls              2              2                     4\nTechnical Controls               11              2                    13\n                 Total           17             6                     23\nSource: OIG analyses as of April 2003\n\n      By implementing six of the recommendations, the FBI made\nimprovements to its computer security over its Headquarters and\nData Centers investigative and mainframe systems. These improvements\nincluded: (a) defining and documenting all criticality levels used to classify\napplications, (b) establishing optimal operating system capacities and\nimplementing procedures to alleviate the near capacity usage, (c) fully\nimplementing and using the System Access Request function to document\nuser logon and verify that user access is commensurate with assigned\nresponsibilities, and (d) ensuring that the communication carrier signals are\nnot connected to unencrypted network devices.\n\n      Despite the progress made, as of April 2003 significant vulnerabilities\nremained with management, operational, and technical controls. The OIG\nassessed these vulnerabilities as high-to-moderate risk for the protection of\nthe FBI\xe2\x80\x99s administrative and investigative mainframe systems from\nunauthorized use, loss, or modification. Specifically, vulnerabilities remained\nin the following areas:\n\n      \xe2\x80\xa2   security policies, procedures, standards, and guidelines;\n\n      \xe2\x80\xa2   system and network backup and restoration controls;\n\n      \xe2\x80\xa2   password management;\n\n\n                                     - 47 \xe2\x80\x93\n\x0c      \xe2\x80\xa2    logon management;\n\n      \xe2\x80\xa2    account integrity management;\n\n      \xe2\x80\xa2    system auditing management; and\n\n      \xe2\x80\xa2    system patches.\n\n       These vulnerabilities resulted from DOJ and FBI security management\nnot enforcing existing security policies, not developing a complete set of\npolicies to effectively secure the administrative and investigative\nmainframes, and not holding FBI personnel responsible for timely correction\nof recurring findings. Further, the report stated that the lack of timely and\neffective oversight from DOJ and FBI management caused inconsistencies in\nthe implementation of security guidelines and resulted in a weakened\nsecurity infrastructure.\n\n       The FY 2001 GISRA report stated that FBI management has been slow\nin correcting deficiencies and implementing suggested corrective actions in\nits systems\xe2\x80\x99 environment. Since FY 1996, the OIG has reviewed the FBI\xe2\x80\x99s\nHeadquarters Data Center computer systems\xe2\x80\x99 general controls as part of the\nFBI annual financial statement audit. Many of the vulnerabilities previously\nreported to the FBI in reviews of general controls as part of the FBI financial\nstatement related reports from FYs 1996 through 2000 continued to exist\nduring the FY 2001 GISRA audit. As a result, the FY 2001 GISRA report\nconcluded that there was a lack of commitment and oversight from DOJ and\nFBI management regarding corrective action on prior audit findings. This\nlack of oversight caused inconsistencies in the implementation of security\nguidelines and resulted in a weakened data security infrastructure. As\ndiscussed in the following sections, some of these vulnerabilities were\nreported again in the FY 2002 GISRA audits.\n\n(2) FY 2002 GISRA Report on the ACS System\n\n      In November 2002, the OIG issued the FY 2002 GISRA report on the\nACS system.33 The objective of the audit was to determine the DOJ\xe2\x80\x99s\ncompliance with GISRA requirements. The ACS system was selected as one\nof the subset of systems to be tested to determine the effectiveness of the\nDOJ\xe2\x80\x99s overall security program for FY 2002. In determining if the DOJ was\n\n      33\n          Because the FY 2002 GISRA report on the ACS system was issued in November\n2002, we did not examine the FBI\xe2\x80\x99s progress toward implementing the recommendations\ncontained in the report.\n\n                                       - 48 \xe2\x80\x93\n\x0ccompliant with GISRA requirements, the OIG assessed whether adequate\ncomputer security controls existed to protect the ACS system from\nunauthorized use, loss, or modification.\n\n(a) Background on Report Findings\n\n      The FY 2002 GISRA report on the ACS system found the following\nimprovements or satisfactory operations in the ACS system\xe2\x80\x99s information\nsecurity.34\n\n       \xe2\x80\xa2    The overall policy for change control dictates the creation of a\n            Change Control Board, which is an important control in ensuring\n            that changes made to the system are approved.\n\n       \xe2\x80\xa2    Security requirements are included in each requirement document\n            to ensure that security is reviewed and integrated into the initial\n            stages of system development.\n\n       \xe2\x80\xa2    The investigative mainframe applications, including the\n            ACS system, have been certified and accredited in accordance with\n            the National Information Assurance Certification and Accreditation\n            Process.\n\n       \xe2\x80\xa2    Record counts are used within the Investigative Case Management\n            system to track cases and investigative leads.35\n\n       \xe2\x80\xa2    The FBI has developed a system security plan for the investigative\n            mainframe applications that has been approved by\n            management and includes the elements identified in the\n            NIST Publication 800-18.\n\n       \xe2\x80\xa2    Effective procedures are in place requiring re-investigations (which\n            strengthen personnel security) to be performed in a timely manner.\n\n       \xe2\x80\xa2    Controls are in place over the security of personally identifiable\n            information.\n\n\n\n       34\n           These improvements or satisfactory operations relate to specific security criteria\nset forth by GISRA. As a result, these improvements are not indicative of the overall\nfunctionality of the ACS system, which is discussed later in this report.\n       35\n            Investigative Case Management is a case management system within the ACS\nsystem.\n                                           - 49 \xe2\x80\x93\n\x0c      \xe2\x80\xa2   A help desk is in place for the ACS system users.\n\n      \xe2\x80\xa2   The IT contingency plan for the FBI Headquarters Data Center\n          identifies critical data files and operations. The plan also identifies\n          the frequency of data backups and includes procedures to allow the\n          FBI to continue essential functions if information technology support\n          is interrupted.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s investigative mainframe applications use the mainframe\n          security software to control password derivations, which complies\n          with DOJ Order 2640.2D.\n\n      \xe2\x80\xa2   The FBI has an up-to-date network diagram of the FBI LAN rings on\n          which the investigative mainframe resides, which houses the ACS\n          system.\n\n      \xe2\x80\xa2   An automated system is used to request and approve access to the\n          ACS system. This system has automated capabilities for requesting\n          access and ensuring that approvals are received before access is\n          granted. In addition, this system automatically adds requests into\n          a queue for the access administrator\xe2\x80\x99s workload, thereby\n          minimizing the time required to turn these requests around and\n          eliminating the possibility of lost requests.\n\n       However, security controls needed improvement to protect the ACS\nsystem from unauthorized use, loss, or modification. Specifically, the report\nidentified vulnerabilities in 6 of the 17 control areas, including life cycle,\npersonnel security, security awareness, training and education, incident\nresponse capability, and logical access. The report stated that similar\ntechnical control vulnerabilities were noted in the FY 2001 GISRA audit.\n\n     These vulnerabilities occurred because the managers of the\nACS system management did not consistently apply DOJ and FBI policies\nand procedures.\n\n(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n       The FY 2002 GISRA report on the ACS system made eight\nrecommendations directed toward correcting the noted deficiencies. As of\nApril 2003, six of the recommendations were open, and two were closed.\nAlthough we did not formally assess the FBI\xe2\x80\x99s progress in taking corrective\nactions given the relatively recent issuance of the report, the report stated\nthat it is critical for the FBI to take immediate corrective actions on the\n\n                                     - 50 \xe2\x80\x93\n\x0crecommendations pertaining to technical control vulnerabilities because of\nsimilar vulnerabilities noted in prior audits. As a result, the FY 2002 GISRA\nreport on the ACS system, like the FY 2001 GISRA report, noted repeated\ndeficiencies in general control areas. Specifically, vulnerabilities were noted\nwithin password management, logon management, account integrity\nmanagement, system auditing management, and system patches. The\nreport further stated that, if not corrected, these security vulnerabilities\nthreaten the ACS system and its data with the potential for unauthorized\nuse, loss, or modification.\n\n(3) FY 2002 GISRA Report on the DRUGX Trusted Guard\n\n      In November 2002, the OIG also issued the FY 2002 GISRA report on\nthe DRUGX Interactive Trusted Guard (DRUGX Trusted Guard).36 The\nobjective of the audit was to determine the DOJ\xe2\x80\x99s compliance with the\nrequirements of GISRA. The DRUGX Trusted Guard was selected as one of\nthe subset of systems to be tested to determine the effectiveness of the\nDOJ\xe2\x80\x99s overall security program for FY 2002. In determining if the DOJ is\ncompliant with GISRA requirements, the OIG\xe2\x80\x99s contractor assessed whether\nadequate computer security controls existed to protect the DRUGX Trusted\nGuard from unauthorized use, loss, or modification.\n\n(a) Background on Report Findings\n\n      The FY 2002 GISRA report on the DRUGX Trusted Guard found\nimprovements or satisfactory operations in the DRUGX Trusted Guard\xe2\x80\x99s\ninformation security. Specifically, improvements or satisfactory operations\nincluded:\n\n       \xe2\x80\xa2    The FBI has developed a comprehensive system security plan\n            for the DRUGX Trusted Guard system that follows the\n            NIST Special Publication 800-18 and contains required data\n            concerning existing controls of the system and the environment.\n\n       \xe2\x80\xa2    Effective procedures are in place requiring re-investigations to be\n            performed in a timely manner.\n\n       \xe2\x80\xa2    Controls are in place over the security of personal information.\n\n\n       36\n         Because the FY 2002 GISRA report on the DRUGX Trusted Guard was issued in\nNovember 2002, close to the issuance of this report, we did not examine the FBI\xe2\x80\x99s progress\ntoward implementing the recommendations contained in the report.\n\n                                         - 51 \xe2\x80\x93\n\x0c      \xe2\x80\xa2   The connection between the FBI\xe2\x80\x99s network and the DRUGX\n          application is completed through a trusted guard, providing a\n          secure interconnection between two computer systems or networks.\n\n      \xe2\x80\xa2   No printers are attached to the DRUGX Trusted Guard, which\n          eliminates the possibility of printed output falling into unauthorized\n          hands.\n\n      \xe2\x80\xa2   All damaged media from the DRUGX Trusted Guard is destroyed\n          and an associated electronic communication is created to account\n          for that media.\n\n      \xe2\x80\xa2   The FBI has a current network diagram of the FBI LAN rings, to\n          which the DRUGX Trusted Guard is connected.\n\n       However, security controls needed improvement to protect the DRUGX\nTrusted Guard from unauthorized use, loss, or modification. Specifically, the\nOIG found security vulnerabilities in 8 of the 17 control areas, including\nsecurity controls, personnel security, contingency planning, security\nawareness, training and education, incident response capability,\nidentification and authentication, logical access, and audit trails.\n\n      These vulnerabilities occurred because FBI management did not\nenforce the documented policies and procedures for the DRUGX Trusted\nGuard. Additionally, FBI management did not always ensure that IT policies\nand procedures were implemented.\n\n(b) FBI\xe2\x80\x99s Progress in Taking Corrective Actions\n\n      The FY 2002 GISRA report on the DRUGX Trusted Guard made\n12 recommendations directed toward correcting the noted deficiencies. As\nof April 2003, eight of the recommendations were open and four were\nclosed. Although we did not formally assess the FBI\xe2\x80\x99s progress in taking\ncorrective actions, the security vulnerabilities documented in this report, if\nnot corrected, threaten the DRUGX Trusted Guard and its data with the\npotential for unauthorized use, loss, or modification.\n\n(4) Summary of Reports on the FBI\xe2\x80\x99s Compliance with GISRA\n\n     As stated in the sections above, the three GISRA reports issued by the\nOIG related to FBI systems have found vulnerabilities associated with\nmanagement, operational, and technical controls. Additionally, the FY 2001\nGISRA report stated that the FBI has been slow to take corrective actions\n\n                                     - 52 \xe2\x80\x93\n\x0csince many of these vulnerabilities were previously reported in annual audits\nof general controls. Further, the FY 2002 GISRA report on the FBI\xe2\x80\x99s ACS\nsystem stated that similar vulnerabilities continued.\n\n       The FY 2002 GISRA reports on the FBI\xe2\x80\x99s ACS and\nDRUGX Trusted Guard systems stated that within the FBI, only the\nInspection Division tracked remedial actions to reported computer security\nvulnerabilities. With the exception of audits performed by the OIG, the FBI\xe2\x80\x99s\nInspection Division did not track the ACS or DRUGX systems\xe2\x80\x99 vulnerabilities\nidentified in other audits and the corresponding corrective actions. Further,\nthese reports stated that the Inspection Division did not receive any other\naudit results or reviews outside of the OIG audits and therefore has limited\nknowledge of other reported vulnerabilities.\n\n      According to the FY 2002 GISRA reports, without an effective tracking\nsystem, the FBI is unable to identify, assess, prioritize, and monitor the\nprogress of corrective efforts for security weaknesses found in programs and\nsystems. As a result, the FY 2002 GISRA reports recommended that the FBI\ndetermine the responsible organization for tracking and maintaining all\nvulnerabilities identified during audits and reviews. In addition, the reports\nrecommended that the FBI develop a mechanism for tracking the\nvulnerabilities and the status of the associated corrective actions resulting\nfrom all IT audits and reviews.\n\n       During FY 2002, the Inspection Division began developing written\npolicies and procedures designed to assist the FBI with its audit follow-up\nresponsibilities. To help in this effort the Inspection Division created a\ndatabase to track: (1) recommendations; (2) responses to OIG, GAO, and\nother inquiries; and (3) the status of corrective actions. However, for\nsystem audits, the FBI has reported that its Information Assurance Section\nhas taken steps to centrally manage the status of vulnerabilities and\ncorrective actions. We believe that the FBI should consider using the\nInspection Division to oversee all recommendations, including those\ngenerated from system audits. The FBI\xe2\x80\x99s recent actions to improve its audit\nfollow-up responsibilities are discussed in more detail later in this report.\n\nE. Reports on OIG Special Investigations of the FBI\n\n      Since 1998, the OIG has issued the following two special investigation\nreports containing FBI IT or document management related\nrecommendations:\n\n\n\n                                    - 53 \xe2\x80\x93\n\x0c      \xe2\x80\xa2    the 1999 report on the DOJ\xe2\x80\x99s Campaign Finance Task Force\n           investigation (Campaign Finance); and\n\n      \xe2\x80\xa2    the 2002 report on the FBI\xe2\x80\x99s investigation into the related\n           production of documents in the Oklahoma City Bombing case\n           (McVeigh).\n\n       These reports considered the policies and procedures related to the\nmanagement of information and documents within the FBI, the\ndissemination of information to organizations outside the FBI, and the\neffectiveness of information technology utilized by the FBI. The reports cited\ndeficiencies in the FBI\xe2\x80\x99s IT and document management and contained\n20 IT-related recommendations designed to correct IT deficiencies.37 The\nfollowing table summarizes the status of the recommendations issued to the\nFBI.\n\n      Status of the FBI\xe2\x80\x99s Special Investigation Recommendations\n                                  by Report\n\n                     Number of Open       Number of Closed      Total Number of\n  Report Name       Recommendations       Recommendations      Recommendations\nCampaign Finance\nReport                        5                    0                    5\nMcVeigh Report               11                    4                   15\n            Total            16                    4                   20\nSource: OIG analyses as of April 2003\n\n      We found the FBI\xe2\x80\x99s current and planned corrective actions, including\nthe implementation of Trilogy, have the potential to address 16 of the\n20 recommendations that we examined from the Campaign Finance and\nMcVeigh reports. However, the ultimate success of Trilogy will not be\ndetermined until at least June 2004 when the final phases of the project are\nscheduled for completion.\n\n       The following section provides background information on Trilogy,\nsince its successful completion is critical to not only addressing OIG\nrecommendations but also the future of the FBI\xe2\x80\x99s IT program.\n\n\n\n\n      37\n         We included recommendations related to document management because FBI\ndocuments are generally produced electronically or managed in automated databases and\nsystems.\n                                        - 54 \xe2\x80\x93\n\x0c(1) Background on Trilogy\n\n      Trilogy is an IT modernization project designed to upgrade the FBI\xe2\x80\x99s:\n(1) hardware and software or Information Presentation Component (IPC),\n(2) communication networks or Transportation Network Component (TNC),\nand (3) User Application Component (UAC). The IPC and TNC upgrades will\nprovide the physical infrastructure needed to run the applications from the\nUAC.\n\n     \xe2\x80\xa2   The IPC refers to how users see and interact with information. The\n         IPC provides new desktop computers, servers, and commercial-off-\n         the-shelf office automation software, including a web-browser and\n         e-mail to enhance usability by the agents.\n\n     \xe2\x80\xa2   The TNC is the complete communications infrastructure and support\n         to create, run, and maintain the FBI\xe2\x80\x99s networks. The TNC includes\n         high capacity wide-area and local-area networks, authorization\n         security, and encryption of data transmissions and storage.\n\n     \xe2\x80\xa2   The UAC is intended to replace five of the FBI\xe2\x80\x99s primary\n         investigative applications in order to reduce agents\xe2\x80\x99 reliance on\n         paperwork and improve efficiency. Through the creation of the\n         Virtual Case File (VCF), a web-based \xe2\x80\x9cpoint-and-click\xe2\x80\x9d case\n         management system, agents are expected to have multi-media\n         capability that will allow them to scan documents, photos, and\n         other electronic media into the case file.\n\n      In November 2000, Congress appropriated $100.7 million for the first\nyear of the $379.8 million Trilogy project, which was to be funded over a 3-\nyear period from the date contractors were hired. The $100.7 million was a\ncombination of new program funding and a reprogramming of base\nresources. When the FBI requested contractor support for Trilogy, it\ncombined the IPC and TNC portions for continuity because both portions\nencompass physical IT infrastructure enhancements. By direction of the DOJ\nProcurement Executive, the TNC/IPC and the UAC contracts were awarded to\ntwo different contractors. The contractor for the IPC and TNC portions was\nhired in May 2001, and the originally-scheduled completion date for these\ncomponents was May 2004. A different contractor was hired in June 2001 to\ncomplete the UAC portion of Trilogy by June 2004.\n\n     After the September 11, 2001, terrorist attacks, the urgency of\ncompleting Trilogy increased, and the FBI explored options to accelerate the\ndeployment of all three components of Trilogy. The FBI informed Congress\n\n                                    - 55 \xe2\x80\x93\n\x0cin February 2002 that with an additional $70 million, the FBI could\naccelerate the deployment of Trilogy. This acceleration would include\ncompletion of the IPC/TNC phase by July 2002 and rapid deployment of the\nmost critical analytical tools included as part of the UAC.\n\n      In January 2002, Congress supplemented the FY 2002 Trilogy budget\nwith $78 million to expedite the deployment of all three components.38 This\nsupplemental appropriation increased the total funding of Trilogy from\napproximately $380 million to $458 million. Even with these additional\nfunds, the FBI missed its July 2002 milestone date for completing the \xe2\x80\x9cFast\nTrack\xe2\x80\x9d portion of the IPC and TNC phases.39\n\n      In April 2003, the FBI Director reported to the Senate Appropriations\nCommittee that over 21,000 new desktop computers and nearly 5,000\nprinters and scanners have been deployed throughout the FBI (IPC phase).\nAdditionally, the FBI reported that it completed the Trilogy Wide Area\nNetwork (TNC phase) on March 28, 2003. The new network, which has been\ndeployed to 622 sites, provides increased bandwidth and three layers of\nsecurity. According to the FBI, the network is highly expandable, so\nadditional capacity or even additional sites can be added as needed. This\nnetwork replaces the FBI\xe2\x80\x99s antiquated local area and wide area networks,\nenabling FBI personnel to transmit data at much greater speeds. Further,\nthe FBI expects to use the network to transport the Investigative Data\nWarehouse, which will link 31 FBI databases for single-portal searches and\ndata mining. Also, the network lays the foundation for improved information\nsharing with partner agencies and other new applications, such as the VCF.\n\n       The VCF will serve as the backbone of the FBI\xe2\x80\x99s information systems,\nreplacing the FBI\xe2\x80\x99s paper files with electronic case files that include multi-\nmedia capabilities. The FBI expects to deploy the VCF in three releases.\nThe initial VCF release will consolidate data from the current ACS and\nIntelPlus systems and has a targeted completion date of December 2003.\nThis release is intended to allow different types of users, such as agents,\nanalysts, and supervisors, to access from their desktop computers a variety\nof information that is specific to their individual needs. This VCF release is\nalso intended to enhance the FBI\xe2\x80\x99s capability to establish and track case\nleads, index case information, and with digital signatures move document\ndrafts more quickly through the approval process.\n\n\n      38\n        The $78 million is comprised of the $70 million that FBI requested for accelerated\ndeployment, plus $8 million for contractor support.\n       39\n            The FBI referred to the accelerated deployment of Trilogy as the \xe2\x80\x9cFast Track.\xe2\x80\x9d\n                                           - 56 \xe2\x80\x93\n\x0c      The second and third releases are intended to install three other\ninvestigative applications into the VCF: the Integrated Intelligence\nInformation Application (IIIA), Telephone Application, and Criminal Law\nEnforcement Application. These releases have a targeted completion date of\nJune 2004 and are intended to provide agents with audio/video streaming\ncapability and content management capability. According to the FBI,\ncontent management should help agents access information from the FBI\xe2\x80\x99s\ndata warehouse, based on a single query from all of the FBI\xe2\x80\x99s systems.\n\n       The OIG ITIM report, issued in December 2002, stated that the VCF,\nwhich FBI officials have stated is the most important aspect of the Trilogy\nproject in terms of improving agent performance, was at high risk of not\nbeing completed within the funding levels appropriated by Congress. FBI\nofficials confirmed the OIG\xe2\x80\x99s assessment in January 2003 when they told us\nthat an additional $138 million was needed to complete Trilogy, bringing the\ntotal project cost to $596 million.40 Despite the cost overruns, FBI officials\nstated that they still expect to deliver the first release of VCF in\nDecember 2003, and that funding for the second and third releases of the\nVCF has been secured.\n\n       The following sections provide further details on the IT and document\nmanagement related deficiencies noted in Campaign Finance and McVeigh\nreports, as well as an assessment of the how the VCF will address these\ndeficiencies.\n\n(2) Campaign Finance Report\n\n       In July 1999, the OIG issued a report entitled \xe2\x80\x9cHandling of FBI\nIntelligence Information Related to the Justice Department\xe2\x80\x99s Campaign\nFinance Investigation\xe2\x80\x9d (Campaign Finance). In response to a request by the\nAttorney General, the OIG reviewed the FBI\xe2\x80\x99s practices for disseminating\nintelligence information associated with the Campaign Finance Task Force\n(Task Force) investigation.\n\n      The report noted deficiencies in the use and maintenance of the FBI\xe2\x80\x99s\ncomputer database systems, including: the Task Force\xe2\x80\x99s lack of familiarity\nwith the FBI\xe2\x80\x99s databases, the FBI\xe2\x80\x99s practices and policies that limited the\nusefulness of the databases, the training of FBI personnel on the\nACS system, and the entry of foreign names into the FBI\xe2\x80\x99s databases. These\nfindings highlighted the need for FBI and Task Force personnel to be familiar\nwith information search techniques within the FBI\xe2\x80\x99s databases, how\n\n      40\n           Of this amount, $57 million was needed for the VCF.\n\n                                          - 57 \xe2\x80\x93\n\x0cinformation should be entered into the databases in order to take advantage\nof search capabilities, and potential errors in data entry to ensure that all\npossible searches within the databases are conducted. Of the Campaign\nFinance report\xe2\x80\x99s 18 recommendations, 5 pertained to the IT-related\ndeficiencies.41 These five recommendations included:\n\n       A. revising the FBI\xe2\x80\x99s Manual of Administrative Operations and\n          Procedures (MAOP) to require more comprehensive indexing of\n          names appearing in any FBI document and requiring that all\n          documents be uploaded into the Electronic Case File database\n          (Recommendation IV.A),\n\n       B. training agents who are principally responsible for the information\n          that is entered into the ACS system\n          (Recommendation IV.B),\n\n       C. making agents responsible for determining what information is\n          entered into the IIIA 42 system (Recommendation IV.C),\n\n       D. ensuring that any task force using the FBI\xe2\x80\x99s databases should\n          obtain at least a fundamental appreciation for their operation\n          (Recommendation IV.D), and\n\n       E. ensuring that the FBI\xe2\x80\x99s database operators are conversant with the\n          format of Chinese and other foreign names\n          (Recommendation IV.E).\n\n(a) Recommendation IV.A\n\n       Regarding the uploading of documents, the FBI issued ECs in\nJuly 2000 and June 2002 that required all e-mails and ECs to be uploaded\ninto the ACS system, unless otherwise prohibited by their sensitive nature.\nAdditionally, FBI officials stated that with the VCF, most documents will have\nto be uploaded since the VCF will contain all official records and case files,\nexcept for Top Secret/Sensitive Compartmented Information (SCI)\ninformation.43 As a result, FBI officials stated that agents will no longer be\n\n       41\n        These five recommendations, along with a summary of the FBI\xe2\x80\x99s responses to the\nrecommendations, are listed in Appendix 2.\n       42\n           According to the FBI, the IIIA is a real-time collection system that houses over 20\nmillion records to support the counterintelligence and counterterrorism programs.\n       43\n         The FBI is currently working on a TS/SCI network, but at this time the VCF is only\napproved up to the Secret level.\n                                           - 58 \xe2\x80\x93\n\x0cable circumvent the case management system by not uploading documents.\n\n      Rather than revising the MAOP, the FBI is implementing alternative\ncorrective action by ensuring that the VCF will facilitate the comprehensive\nindexing of names appearing in FBI documents. FBI officials stated to us\nthat the VCF will provide indexing on various web-based documents by\nsorting data fields into searchable databases. The index of data fields,\nexcept for narrative fields, will be automatically created once the document\nis approved and entered into the VCF. Agents and analysts can then search\nthe index of data fields by using search screens or viewing the serialized\ndocument. Because the first release of the VCF is not scheduled for\ncompletion until December 2003, this recommendation remains open.\n\n(b) Recommendation IV.B\n\n       FBI officials said that they increased the ACS system training for\nveteran agents. According to the FBI, since 1999 over 400 veteran and\n2,300 new agents received training on the ACS system. However, it is not\nclear whether the ACS training provided to veteran agents has been\nadequate since this represents less than 25 percent of all FBI agents.\nAdditionally, we were unable to assess the FBI\xe2\x80\x99s web-based training for the\nVCF since it will not occur until October and November 2003. As a result,\nthis recommendation remains open.\n\n(c) Recommendation IV.C\n\n      According to the FBI, during 2000 several initiatives were undertaken\nto make agents responsible for determining what information is entered into\nthe IIIA system and improving the accuracy of information in the IIIA\nsystem. These initiatives included:\n\n     \xe2\x80\xa2   expanding the amount of data electronically transferred from the\n         ACS to the IIIA systems;\n\n     \xe2\x80\xa2   establishing a more user-friendly IIIA search interface;\n\n     \xe2\x80\xa2   using a macro to collect accomplishment information electronically;\n\n     \xe2\x80\xa2   automating the indexing, serialization, and entry of certain data;\n\n     \xe2\x80\xa2   improving the oversight provided to the uploading of particular\n         surveillance logs; and\n\n\n                                    - 59 \xe2\x80\x93\n\x0c      \xe2\x80\xa2   automating the selection of approved cryptonyms\n          (codenames/codewords).\n\n       In addition to these improvements, the FBI stated that the IIIA system\nwill ultimately be replaced by the second and third releases of the VCF.\nFurther changes are planned for the IIIA system since the VCF development\nis not based on a system-by-system replacement per se, but rather a re-\nengineering of business practices and policies. As a result, certain sub-\nsystems and data sets will be retired, while others will be transferred to the\nVCF. The FBI is continuing to schedule and prioritize the functional\ncomponents that must be integrated into the VCF for each delivery through\nJune 2004. Because the second and third releases of the VCF are not\nscheduled for completion until June 2004, this recommendation remains\nopen.\n\n(d) Recommendation IV.D\n\n       According to the FBI, appropriate training will be conducted whenever\na relevant task force is created. In May 2003, the FBI said that the VCF\ntraining plan includes all Bureau task force members who will have access to\nthe VCF application. To prepare for the VCF training scheduled in October\nand November 2003, the FBI is assessing its FBI employees\xe2\x80\x99 basic computer\nliteracy skills. This assessment identifies employees in need of additional\ncomputer skills so that the necessary supplemental training can be taken\nprior to the scheduled VCF training. Because training on the VCF has not yet\ntaken place, this recommendation remains open.\n\n(e) Recommendation IV.E\n\n       The FBI said that it made enhancements to the IIIA system in\nJuly 2000 so that variations of a name are identified during a search.\nAdditionally, FBI officials told us that on May 3, 2002, the\nLanguage Training and Assessment Unit (LTAU) announced a project to\nadopt and implement standards for the uniform \xe2\x80\x9cRomanization\xe2\x80\x9d of foreign\npersonal and place names. Also in May 2002, the LTAU began work on\nimplementing standardization systems for \xe2\x80\x9cRomanizing\xe2\x80\x9d Arabic by offering\ntraining to all applicable FBI employees. According to the FBI, by the end of\nthe second quarter of FY 2003, 371 FBI employees had received training in\nArabic \xe2\x80\x9cRomanization,\xe2\x80\x9d while classes continue to be held. Regarding Chinese\n\xe2\x80\x9cRomanization,\xe2\x80\x9d the LTAU announced in September 2002 that training on\nChinese \xe2\x80\x9cRomanization\xe2\x80\x9d was being offered to all applicable FBI employees.\nAs of June 9, 2003, a total of 80 FBI employees had been trained in Chinese\n\xe2\x80\x9cRomanization,\xe2\x80\x9d while classed continue to be held. Further, the LTAU has\n\n                                    - 60 \xe2\x80\x93\n\x0cbeen working with the VCF project management team to create a keyboard\nfor the \xe2\x80\x9cRomanization\xe2\x80\x9d of names.\n\n     In addition to training, the FBI expects the VCF to help database\noperators apply foreign names to searches within databases. For example,\nthe VCF will allow the addition of standard telegraphic code (STC) for Asian\nnames, Unicoded44 for other foreign names, and it will deploy a name search\nengine that incorporates variations on names. Because the first release of\nthe VCF is not scheduled for completion until December 2003, this\nrecommendation remains open.\n\n(f) Summary\n\n       Despite the FBI\xe2\x80\x99s progress in taking corrective actions, a more\ncomprehensive enterprise-wide solution to the underlying deficiencies will\nnot occur until the VCF is implemented. As a result, some of these\ndeficiencies have gone uncorrected for over three years.\n\n(3) McVeigh Report\n\n       In March 2002, the OIG issued a report entitled, \xe2\x80\x9cAn Investigation of\nthe Belated Production of Documents in the Oklahoma City Bombing\nCase.\xe2\x80\x9d The McVeigh report concluded that the belated production of case-\nrelated documents resulted in part from the following long-standing\nproblems at the FBI: (1) antiquated and inefficient computer systems,\n(2) inattention to information management, and (3) inadequate quality\ncontrol systems. The report further stated that the FBI\xe2\x80\x99s troubled\ninformation management systems were likely to have a continuing negative\neffect on the FBI\xe2\x80\x99s ability to properly investigate crimes.\n\n      The McVeigh report stated that the FBI had not given sufficient\nattention to correcting deficiencies in information management and the ACS\nsystem. The IT-related findings of the report showed that the ACS system\nwas extraordinarily difficult to use, had significant deficiencies, and was not\nsuitable for the FBI in the 21st century. The report noted that inefficiencies\nand complexities within the ACS system, combined with the lack of a true\ninformation management system, contributed to the FBI\xe2\x80\x99s failure to provide\nhundreds of investigative documents to the defendants in the Oklahoma City\nbombing case. To overcome these problems, the report made\nrecommendations on how future information systems should be developed.\n\n      44\n         Unicode provides a unique number for every character. Fundamentally,\ncomputers just deal with numbers. They store letters and other characters by assigning a\nnumber for each one.\n                                         - 61 \xe2\x80\x93\n\x0c       The McVeigh report provided 21 recommendations to the FBI,\n15 of which directly related to IT.45 Of these 15 recommendations,\n11 involved the FBI\xe2\x80\x99s completion of the VCF, 3 involved special agent\ncomputer training, and 1 pertained to deadlines for the completion of case\nleads.\n\n(a) Deadlines for the Completion of Leads\n\n      In the McVeigh report, the OIG recommended (recommendation 13)\nthat the FBI ensure that deadlines for the completion of investigative leads\nare clear and not undermined by the automated system, such as the ACS\nsystem\xe2\x80\x99s setting of a 60-day deadline for \xe2\x80\x9cimmediate\xe2\x80\x9d leads. The FBI stated\nthat as of August 26, 2002, the settings for deadlines within the ACS system\nwere changed to one day for \xe2\x80\x9cimmediate\xe2\x80\x9d and \xe2\x80\x9cpriority\xe2\x80\x9d leads. Based on the\nOIG\xe2\x80\x99s review of the policy changes for leads documented in three Electronic\nCommunications (EC) and the MIOG, we believe that the FBI\xe2\x80\x99s actions to\naddress this recommendation are adequate.\n\n(b) Special Agent Computer Training\n\n      The McVeigh report contained the following three recommendations\nrelated to computer training for special agents:\n\n      \xe2\x80\xa2    the FBI should evaluate its computer training in order to develop a\n           clear understanding of what agents need to perform their jobs\n           effectively (recommendation 8);\n\n      \xe2\x80\xa2    the FBI should consider whether computer usage should be a part\n           of the core skills needed to graduate from new agent training\n           (recommendation 9); and\n\n      \xe2\x80\xa2    the FBI should consider mandatory refresher training for veteran\n           agents (recommendation 10).\n\n      Regarding recommendation 8, the FBI has reported to the OIG that it\nhas undertaken various initiatives to improve its computer training for\nspecial agents. In April 2003, the FBI stated that its Training Division was\nassessing the computer skills agents need to perform their jobs and was\ndetermining the need for additional improvements to the computer training\ncurriculum for new agents. The Training Division was using instruments\n\n      45\n        These 15 recommendations, along with a summary of the FBI\xe2\x80\x99s responses to the\nrecommendations, are listed in Appendix 2.\n                                       - 62 \xe2\x80\x93\n\x0csuch as surveys, evaluations, and questionnaires to evaluate and make\nadjustments to its computer training. These instruments, which are\ncompleted by agents and managers in the field, were to help the FBI\ndetermine whether the curriculum adequately prepared new agents. In\nMay 2003, the FBI provided the OIG with copies of the instruments used, as\nwell as two ECs issued in July 2002, which included a request to add\nadditional computer training for new agents. We believe that the FBI\xe2\x80\x99s\nactions to address this recommendation are adequate.\n\n       Regarding recommendation 9, the FBI reported to the OIG that\nthe Training Division has implemented a policy requiring all new agents to\npass an exam on core computer competency skills prior to graduation. In\nMay 2003, the FBI provided the OIG with an EC dated August 14, 2002, that\nmandates the \xe2\x80\x9cFinal Investigative Computer Competency Skills Assessment,\xe2\x80\x9d\nas the twelfth examination required for graduation from the new agent\ntraining. After examining this computer skills assessment, we believe that\nthe FBI\xe2\x80\x99s actions to address this recommendation are adequate.\n\n      Regarding recommendation 10, the FBI has reported to the OIG that it\nhas implemented a program of continual mandatory training for veteran\nagents and all employees. On December 12, 2000, the Training Division\nissued an EC requiring that each FBI employee receive 15 hours of training\nper year. The Training Division developed a continuing education program\nto establish employee and supervisor responsibilities for complying with the\nprogram and to identify training opportunities for FBI employees. To enforce\nthe training requirement, the FBI linked the continuing education\nrequirement to the performance evaluations of employees and supervisors.\nAdditionally, in June 2001 the FBI revised the training section of the MAOP\nto incorporate the new continuing education policies. After examining\ncontinuing education program guidelines and policy changes, we believe that\nthe FBI\xe2\x80\x99s actions to address this recommendation are adequate.\n\n      In our judgment, the FBI has demonstrated that it has taken adequate\ncorrective actions to address the training deficiencies identified in the\nMcVeigh report. While these actions have clearly been important, the\nFBI must also ensure that agents receive adequate training on the VCF,\nwhich will be critical to its success.\n\n(c) Recommendations Involving the VCF\n\n     FBI officials have stated that when implemented, the VCF or\nUAC portion of Trilogy will address 11 of the 15 IT-related recommendations\n\n\n                                   - 63 \xe2\x80\x93\n\x0ccontained in the McVeigh report. These 11 recommendations are to:\n\n       \xe2\x80\xa2    foster an attitude among all employees that information\n            management is an essential part of the FBI\xe2\x80\x99s mission and that\n            automation is a key tool in managing the storage, analysis, and\n            retrieval of information (recommendation 1);\n\n       \xe2\x80\xa2    consider whether Trilogy\xe2\x80\x99s document management systems can be\n            simplified, such as by having supervisors review electronic\n            copies of documents, and whether its record keeping formats can\n            be reduced in number (recommendation 2);\n\n       \xe2\x80\xa2    evaluate whether inserts should be eliminated (recommendation\n            3);46\n\n       \xe2\x80\xa2    evaluate its practices regarding \xe2\x80\x9coriginals\xe2\x80\x9d of FBI created\n            documents (such as FD-302s) (recommendation 4);\n\n       \xe2\x80\xa2    ensure any new automation is user-friendly, meaning that the steps\n            required to obtain information should be few in number and\n            intuitive (recommendation 5);\n\n       \xe2\x80\xa2    ensure any new automation system include an effective document\n            tracking system (recommendation 6);\n\n       \xe2\x80\xa2    eliminate crisis management software and other independent\n            systems (recommendation 7);\n\n       \xe2\x80\xa2    ensure that leads cannot be covered without an explanation of what\n            has been done to the task assigned (recommendation 11);\n\n       \xe2\x80\xa2    ensure future automation systems incorporate a system to allow\n            supervisors to easily track the status of leads (recommendation 12);\n\n       \xe2\x80\xa2    evaluate the feasibility of developing a system of universal lead\n            numbers to eliminate the use of local lead numbers as a tracking\n            mechanism (recommendation 14); and\n\n       \xe2\x80\xa2    evaluate the use of lead numbers on leads and responding reports\n            and determine whether new policies, better enforcement\n\n       46\n          Inserts are forms used by the FBI to record investigative activity that is not\nconsidered to be significant to the investigation.\n\n                                           - 64 \xe2\x80\x93\n\x0c         of existing policies, improved training, or better automation is the\n         best method of fixing the problem (recommendation 15).\n\n      The following paragraphs discuss how, when completed, the VCF will\nhelp implement these 11 recommendations.\n\n      Recommendation 1\n\n      While the FBI has taken steps to foster an attitude among all\nemployees that information management is an essential part of the FBI\xe2\x80\x99s\nmission (including the creation of a Records Management Division), the VCF\nmust be used by all levels at FBI Headquarters and by field supervisors to\nensure its success. In May 2003, FBI officials stated that agents will be\nrequired to use the VCF since all official case records and files up to the\nSecret level will be within the application. According to the FBI, unlike the\ncurrently used ACS system, there will not be ways for agents to circumvent\nthe use of the VCF. However, the FBI still has not finalized its policies for\nhow agents will utilize VCF from remote locations.\n\n      Recommendation 2\n\n      FBI officials stated that the VCF will streamline the workflow process\nby including electronic signatures and reducing the number of required\nforms. Under the FBI\xe2\x80\x99s current investigative process, a case file could be\nstarted by using one of many different standardized forms, such as FD-72,\nFD-801, and FD-822, depending on the type of investigative category. The\nforms will be replaced by the \xe2\x80\x9cintake\xe2\x80\x9d function of the VCF, which simplifies\nthe initiation of a case file by eliminating the need for these forms.\n\n      Recommendation 3\n\n      FBI officials stated that inserts would be eliminated with the\ndeployment of the VCF. All VCF records will be considered \xe2\x80\x9cresident to the\ncase,\xe2\x80\x9d meaning that they will be considered an official investigative record.\n\n      Recommendation 4\n\n       FBI officials told us that the VCF will essentially replace all paper\ncopies of investigative events. Because the Records Management\napplication will interface with the VCF, the only official record of the case file\nwill be maintained in the VCF. The intent of the VCF is to reduce, and in\nsome cases eliminate, the need for paper copies of documents.\n\n\n                                      - 65 \xe2\x80\x93\n\x0c      Recommendation 5\n\n       According to FBI officials, the VCF will operate in a \xe2\x80\x9cpoint-and-click\xe2\x80\x9d\nweb environment that will simplify the FBI\xe2\x80\x99s workflow process for document\nstorage and retrieval. Agents not familiar with using a computer keyboard\ncan have their secretaries type information into the VCF, but the agents will\nstill have to sign-off on the file using a mouse to create an electronic\nsignature. Additionally, the FBI is building an integrated data warehouse\ncomprised of data from the ACS system, analyzed terrorism and intelligence\ndata, and other law enforcement data. Through servers built on the FBI\xe2\x80\x99s\nnew Trilogy networks, the VCF will interface with the data warehouse. The\nVCF will contain tools to assist FBI agents and analysts in performing queries\nand searches.\n\n      Recommendation 6\n\n       FBI officials told us that the VCF\xe2\x80\x99s automated document creation,\nreceipt, and management system will partially eliminate the need for\ntraditional tracking systems. The VCF will include capabilities to scan into\nthe case file any documents received from sources external to the FBI, as\nwell as to capture summary descriptions of any documents and items, such\nas physical evidence, that cannot be stored electronically. The FBI\xe2\x80\x99s intent is\nto eventually track external items through a bar code identification system\nthat would be placed upon a physical label on the external document and\nthen linked to an electronic record. Additionally, FBI officials said that the\nRecords Management Division (RMD) is establishing systems and processes\nto effectively track documents and records contained in FBI systems.\n\n      Recommendation 7\n\n       According to FBI officials, the VCF will consolidate five of the FBI\xe2\x80\x99s\ninvestigative applications. However, FBI officials recognize that the VCF is\nonly a starting point since numerous other investigative and application\nsystems exist that could be integrated into the VCF. Additionally, because of\nunresolved connectivity issues, crisis management software may still need to\nbe used by agents after the initial deployment of the VCF. The FBI is\nidentifying and defining other databases and crisis management software\nthat should be included in future VCF releases to maximize the efficiency of\nthe workflow process. FBI officials told us that additional funding will be\nneeded to solve the connectivity issues at remote locations, as well as to\nconsolidate and eliminate other databases and crisis management software.\n\n\n\n                                    - 66 \xe2\x80\x93\n\x0c      Recommendations 11, 12, 14, and 15\n\n       FBI officials said that upon the entry of a lead into the VCF, the system\nwill automatically assign a universal lead number that is unique to each\ncase. The supervisor will then approve and assign the lead to a subordinate\nagent or receiving office. The VCF allows the supervisor to view the\nsubordinate agent\xe2\x80\x99s leads and caseload to allow for the leads and cases to be\nassigned effectively. Leads can viewed by anyone in the FBI with\nappropriate access privileges, or by anyone with a profile query established\nto receive information pertaining to specific types of cases. Additionally,\nsplit leads, or leads created from an original lead, will reflect the derivative\nor parent-child relationship in its lead number to facilitate the tracing of all\nleads to their origin. This feature allows the originating office and all\nreceiving offices to determine to whom the leads are assigned or whether\naction on the leads has occurred, which provides agents and managers with\na user-friendly tool to ensure lead accountability. Because all leads will be\npart of the case file, leads cannot be covered without an appropriate\nexplanation unlike the FBI\xe2\x80\x99s current system.\n\n      Summary\n\n       We believe that the FBI has demonstrated progress toward\nimplementing the recommendations in the McVeigh report, based on its\ncorrective actions taken to date, as well as its plans for the VCF. However,\nthe adequacy of the FBI\xe2\x80\x99s corrective actions generally cannot be determined\nuntil the VCF has been deployed. The FBI\xe2\x80\x99s ability to implement many of the\nOIG\xe2\x80\x99s IT recommendations and improve its IT program depends on the\nsuccessful implementation of the VCF. The following section, therefore,\ndiscusses factors affecting the success of the VCF.\n\n(4) Factors Affecting the Success of the VCF\n\n       In our judgment, if the VCF can do what the FBI expects, the VCF will\nrepresent a significant technological advancement from the ACS system.\nThe VCF has the potential to reduce redundancy in searching multiple\ndatabases, improve the FBI\xe2\x80\x99s case file management, and maximize the use\nof information in the FBI\xe2\x80\x99s possession.\n\n      While the VCF has the potential to significantly improve the FBI\xe2\x80\x99s IT,\nas well as its record management and investigative efficiency, the ultimate\nsuccess of the VCF depends on a number of different factors, including\nwhether the VCF will meet its technical and performance expectations and\nbe accepted and used by FBI employees.\n\n                                    - 67 \xe2\x80\x93\n\x0c(a) Technical and Performance Expectations of the VCF\n\n       To ensure its success, the VCF must meet technical and performance\nexpectations. As mentioned above, the Trilogy project has encountered\nsignificant cost overruns and schedule delays due to the FBI not following\ncritical management processes. The OIG\xe2\x80\x99s ITIM report stated that these\nmanagement problems contributed to difficulties with establishing the\ntechnical requirements for the VCF. Because the VCF is focused on making\nsignificant changes to five of the FBI\xe2\x80\x99s investigative systems, documentation\nfor the exact configuration of these legacy systems was critical to designing\nthe requirements for the VCF. The lack of documentation for the\nconfiguration of these five investigative systems caused the FBI to engage in\na process of reverse engineering, which is trying to determine the structure\nand components of the systems after deployment. Because the FBI had to\nperform reverse engineering on the five systems, there are limitations as to\nhow rapidly the VCF can be developed and deployed.\n\n       As of April 2003, the FBI was still defining the technical requirements\nfor the second and third releases of the VCF. Because the technical\nrequirements had not yet been finalized and funding has not been approved,\nbaselines for the VCF had not been established. We believe that the lack of\ntechnical, cost, and schedule baselines not only creates uncertainties over\nhow much the VCF will cost and when it will be completed, but also how it\nwill perform upon implementation.\n\n       Performance of the VCF could be measured by how well it:\n(1) allows special agents to access, import, create, and scan documents\nthrough a web-based point and click environment; (2) allows supervisors to\ntrack case files and lead numbers; (3) streamlines the workflow process\nthrough the use of electronic signatures and the reduction of paper forms;\nand (4) eliminates the need for special agents to use other applications,\nsuch as crisis management software. For VCF to make these and other\nimprovements, it must have built-in security features that allow\nspecial agents and analysts to access information according to their security\nclearances and \xe2\x80\x9cneed to know.\xe2\x80\x9d Additionally, it must be able to meet the\nneeds of all FBI employees, including those performing counterterrorism\nduties, which is the FBI\xe2\x80\x99s highest priority. It must also lay the foundation for\ninformation sharing outside the FBI. We believe that the performance of\nVCF and, specifically, how it meets the needs of special agents and analysts,\nwill determine how quickly the VCF is accepted and used.\n\n\n\n                                    - 68 \xe2\x80\x93\n\x0c(b) Acceptance and Use of the VCF\n\n       If the VCF is to be a vehicle for moving the FBI\xe2\x80\x99s information\nmanagement into the 21st century, it must be accepted and used.\nHistorically, the FBI has been a paper-driven organization. A goal of the VCF\nis to move toward a near paperless environment so the FBI can maximize\nthe use of technology to digitally capture information for data management\nand control. According to FBI officials, the VCF is the first real change in the\nFBI\xe2\x80\x99s workflow and processes since the 1950\xe2\x80\x99s. Director Mueller\nrecently stated that \xe2\x80\x9cTrilogy [VCF] will change the FBI culture from paper to\nelectronic.\xe2\x80\x9d\n\n      As noted in the Campaign Finance and McVeigh reports, special agents\ndid not always use the ACS system to manage their case files. For various\nreasons, they found alternative ways to manage case files. The VCF must be\nused by all special agents for the FBI to fully realize its benefits.\n\n       FBI officials told us that since the VCF will contain the official case\nfiles, agents will have to use the VCF since there will be no other acceptable\nmeans to manage case files. However, FBI official also acknowledged that\nbecause of unresolved connectivity issues at remote locations, agents may\nstill need to use crisis management software.\n\n2. FBI\xe2\x80\x99s Process for Following-Up on Recommendations\n\n        Until recently, the FBI had not implemented an effective system of\nmanagement controls to ensure that recommendations are resolved and\nimplemented in a timely and consistent manner. As previously stated in this\nreport, the FBI is required under OMB Circular A-50 and DOJ Order 2900.6A\nto establish a process for resolving audit deficiencies and taking corrective\nactions in a timely manner. As a result, we do not believe that the FBI was\nin full compliance with OMB Circular A-50 and DOJ Order 2900.6A.\n\n      FBI personnel told us that while a formal process to track and resolve\nrecommendations did not exist prior to September 2002, an informal process\nwas used. Upon the final issuance of an OIG or GAO report, the\nrecommendations were forwarded to the responsible FBI Divisions.\nSomeone within the responsible Division was then assigned to respond to\nthe recommendations until closure occurred. However, the FBI recognized\nthat this informal process was not sufficient to ensure corrective actions\nwere timely and responsive. Specifically, the FBI officials indicated to us\nthat the informal process:\n\n\n                                    - 69 \xe2\x80\x93\n\x0c     \xe2\x80\xa2   was not documented in formal policies and procedures,\n\n     \xe2\x80\xa2   was not adequately monitored by executive management and not\n         kept up-to-date,\n\n     \xe2\x80\xa2   used multiple applications,\n\n     \xe2\x80\xa2   did not keep measures of timeliness and responsiveness, and\n\n     \xe2\x80\xa2   did not provide for sufficient follow-up once the original response or\n         corrective action plan was submitted.\n\n       We believe that the lack of management attention was a significant\ncause of the FBI\xe2\x80\x99s failure to implement prior OIG and GAO\nrecommendations. According to the Deputy Assistant Director of the\nInspection Division, high turnover within FBI management contributed to\nproblems with maintaining current responses to OIG and GAO reports.\nUnder the informal process, when individuals left the FBI or were reassigned\nwithin the Bureau, their replacements were not always made aware of\nrecommendations or requests that were left pending. As a result, responses\nto recommendations and any related corrective action were often delayed,\nand the auditing or investigating agency had to again request a response to\nits recommendations.\n\n       The FBI has also recognized that improvements in its system of\nmanaging follow-up were needed to resolve and timely implement\nrecommendations resulting from OIG and GAO reports. In September 2002,\nthe FBI\xe2\x80\x99s Inspection Division began to establish a new management process\nto improve the FBI\xe2\x80\x99s timeliness and responsiveness of corrective actions\nresulting from OIG and GAO recommendations and to bring the FBI in\ncompliance with applicable regulations (OMB Circular A-50 and\nDOJ Order 2900.6A) for the follow-up and resolution of audit\nrecommendations. To facilitate the implementation of this new management\nprocess, the Inspection Division developed a database, referred to as the\n\xe2\x80\x9cAutomated Response and Compliance System\xe2\x80\x9d (ARCS). According to the\nFBI, ARCS is an automated tool that is intended to:\n\n     \xe2\x80\xa2   document and track initiated, ongoing audits and data requests\n         from OIG, GAO, and others;\n\n     \xe2\x80\xa2   track recommendations made in OIG and GAO audits,\n         investigations, and reviews until closure; and\n\n\n                                       - 70 \xe2\x80\x93\n\x0c      \xe2\x80\xa2   provide status information to FBI\xe2\x80\x99s executive management on, or\n          close to, a real time basis.\n\n       The FBI\xe2\x80\x99s new database tracks the receipt and resolution of audits,\ninvestigations, and data requests from the OIG, GAO, and others. It also\ntracks the tasks associated with FBI\xe2\x80\x99s current re-engineering efforts. Among\nits functions, the database is intended to provide information to FBI\nmanagement on a regular basis to keep them informed of a report\xe2\x80\x99s\nprogress and to ensure timely implementation of recommendations.\nHowever, this database does not include vulnerabilities generated by system\naudits required by GISRA. The FBI\xe2\x80\x99s Information Assurance Section has\ntaken steps to develop a separate database to record and manage the status\nof system audit vulnerabilities.\n\n       The ARCS database tracks audit reports within four hierarchical levels:\n(1) the report level, (2) the findings level, (3) the recommendation level,\nand (4) the action or task level. The report level provides general\ninformation about the report, such as the report title and number, status,\nclassification level, requesting official (for GAO audits), issue date, received\ndate, response due date, and FBI Division point-of-contact. The findings\nlevel describes the findings of the audit. The recommendation level is under\nthe findings level and describes the issuing entity\xe2\x80\x99s suggestions to address\nthe findings. The action or task level specifies what corrective actions the\nBureau will take in order to satisfy the recommendations (and therefore, the\nfindings).\n\n       In conjunction with the development of the database, the FBI has\ndeveloped policies and procedures for the Inspection Division\xe2\x80\x99s\nresponsibilities for resolving OIG and GAO reports. These policies and\nprocedures require the Inspection Division to assign a liaison for each report\nwith outstanding recommendations and for scheduled audits and reviews.\nThe liaison has the primary responsibility for entering information into the\ndatabase, including deadlines for when tasks should be completed. The\nliaison also has the responsibility to ensure that the report is assigned to a\n\xe2\x80\x9cproject manager\xe2\x80\x9d and that individual tasks are assigned to appropriate\npoints-of-contact. This control ensures that appropriate FBI personnel can\nbe held accountable for taking timely corrective actions. The liaison\nmonitors the completion of tasks and is instructed to send periodic e-mail\nnotices when tasks are near their due date or past due. Additionally,\nInspection Division management reviews the activities of the liaisons to\nensure that liaisons are adequately monitoring their assigned projects.\n\n\n\n                                     - 71 \xe2\x80\x93\n\x0c       In January 2003, the Inspection Division officials trained its liaisons on\nthe ARCS system. An Inspection Division official told us that any new\nliaisons will be trained on an as-needed basis. As of May 2003,\n13 liaisons have been trained on the ARCS database.\n\n      As of May 2003, the FBI was still adding relevant information to the\nARCS database for open GAO reports. For OIG reports, Inspection Division\npersonnel told us that the database had been updated to include all reports\nwith open recommendations. However, we found that the ARCS database\ndid not include the OIG Campaign Finance report that contained 18 open\nrecommendations. Inspection Division personnel told us that certain highly\nsensitive reports \xe2\x80\x94 such as the Campaign Finance report or matters\ninvolving the Office of Professional Responsibility may not be added to the\ndatabase, due to the classified nature of the reports. Based on our inquiry,\nthe Inspection Division began researching the status of the Campaign\nFinance recommendations.\n\n       FBI officials said that the database, which is maintained on the FBI\xe2\x80\x99s\nintranet, generates reports for senior FBI management that provide\ninformation on upcoming suspense dates. For example, the\nDeputy Directors are required to perform quarterly reviews of their Division\xe2\x80\x99s\nprogress in completing outstanding tasks. According to FBI officials, the\nInspection Division Assistant Director uses reports generated by the ARCS\ndatabase to discuss outstanding tasks at weekly executive meetings, which\nare attended by the Assistant Directors, Executive Assistant Directors, and\nthe Director. These and other reports have been periodically forwarded to\nthe Director, upon his request. FBI officials told us that the Director has\ntaken a particular interest in the timeliness and responsiveness of the FBI\xe2\x80\x99s\ncorrective actions, re-engineering efforts, and responses to Congressional\nrequests. The Director wants to be notified, especially with regard to high\nprofile reviews, when the FBI has not been timely and responsive in its\nplanned actions.\n\n       While the ARCS database can be a useful tool for the FBI\xe2\x80\x99s\nestablishment of a management process directed toward improving the\ntimeliness and responsiveness of its corrective actions, the ultimate\neffectiveness of this system depends on formal and consistent oversight\nfrom senior FBI management. Thus far, however, the FBI has not\npromulgated written directives Bureau-wide that instruct program managers\nand senior officials outside of the Inspection Division regarding their\nobligation to take corrective actions that will close recommendations. In our\njudgment, the FBI must develop and institute formal written procedures that\nrequire senior management oversight of the timeliness and responsiveness\n\n                                     - 72 \xe2\x80\x93\n\x0cof recommendations. These written procedures should also incorporate the\npolicies for tracking the status of vulnerabilities generated by IT system\naudits.\n\n3. Summary\n\n       Since 1990, reports issued by the OIG have found numerous\ndeficiencies with the FBI\xe2\x80\x99s IT program, including outdated infrastructures,\nfragmented management, ineffective systems, and inadequate training.\nWhile the FBI has implemented many of the recommendations contained in\nthese reports, significant further actions are necessary to ensure that the\nFBI\xe2\x80\x99s IT program effectively supports its mission. Of the 148 IT-related\nrecommendations issued by the OIG, 93 have been closed by the OIG, while\n55 remain open. The following table provides a summary of the status of IT\nrecommendations issued to the FBI by the OIG.\n\n        Summary of the Status of IT Recommendations Issued to the\n                                 FBI\n\n                       Number of Open      Number of Closed    Total Number of\n                      Recommendations      Recommendations    Recommendations\nOIG Detailed\nFinancial IT Reports          22                  83                105\nOIG FY 2001 GISRA\nReport                        17                  6                  23\nOIG Special Reports           16                  4                  20\n               Total          55                 93                 148\nSource: OIG analyses as of April 2003\n\n      OIG audits and reviews indicated that deficiencies remained in the\narea of general controls over FBI Headquarters data systems, except for\nsystem software. As of April 2003, 22 out of 105 recommendations issued\nfor FY reports 1996 through 2001 remained open. Additionally, the FY 2001\nGISRA report stated that the FBI has been slow to take corrective actions\nsince many of the vulnerabilities were previously reported in annual audits of\ngeneral controls. Of the 23 recommendations from the FY 2001 GISRA\naudit, 17 remained open as of April 2003. Further, the FY 2002 GISRA\nreport on the FBI\xe2\x80\x99s ACS system stated that similar vulnerabilities that were\nreported in the FY 2001 report continued.\n\n      The FBI GISRA reports issued in May and November 2002 identified\nvulnerabilities with management, operational, and technical controls over\ncomputer security. These reports also stated that within the FBI, only the\nInspection Division tracked remedial actions for reported computer security\nvulnerabilities. With the exception of audits performed by the OIG, the FBI\xe2\x80\x99s\n                                        - 73 \xe2\x80\x93\n\x0cInspection Division did not track the ACS or DRUGX systems\xe2\x80\x99 vulnerabilities\nidentified in other audits and their corresponding corrective actions. Further,\nthese reports stated that the Inspection Division did not receive any other\naudit results or reviews outside of the OIG audits and therefore has limited\nknowledge of other reported vulnerabilities.47\n\n       Until recently, the FBI did not establish a system of management\ncontrols for tracking recommendations, as required by OMB Circular A-50\nand DOJ Order 2900.6A. As a result, the FBI did not consistently implement\nrecommendations and did not adequately improve its information technology\nto ensure that data is safeguarded and reliable, and computer application\nprograms are secured and protected from unauthorized access. Additionally,\nnon-implementation of previously identified IT problems, especially\nregarding the ACS system, have contributed to problems in sensitive\ninvestigations, such as the Campaign Finance and McVeigh investigations.\nHowever, current FBI leadership has stated that they are committed to\nenhancing controls to ensure recommendations are implemented in a\nconsistent and timely manner. To this end, the FBI recently established a\nsystem to facilitate the tracking and implementation of recommendations.\nAlso, the FBI expects the VCF, as part of the Trilogy project, to significantly\nimprove its IT and correct many of the deficiencies identified by the OIG.\n\n      According to the FBI, the VCF is intended to not only correct many of\nthe deficiencies identified in the Campaign Finance and McVeigh reports, but\nalso to revolutionize the FBI\xe2\x80\x99s workflow process. We believe that the\ncorrective actions underway, including the planned implementation of the\nVCF, has the potential to address 16 of the 20 open OIG recommendations\nwe examined from the Campaign Finance and McVeigh reports. However,\nthe ultimate effect of the VCF remains to be seen. We believe that the\nsuccess of the VCF depends on whether it can meet its technical and\nperformance expectations, and be accepted and used by FBI employees.\n\n\n\n\n      47\n        In April 2003, the Inspection Division began tracking findings and\nrecommendations issued by the GAO.\n                                         - 74 \xe2\x80\x93\n\x0c4. Recommendations\n\n     We recommend that the Director of the FBI:\n\n1. Develop, document, and implement Bureau-wide procedures to\n   follow-up and close audit and investigative recommendations, in\n   accordance with OMB Circular A-50 and DOJ Order 2900.6A. This process\n   should include the tracking and resolution of system audit\n   recommendations.\n\n2. Ensure that the ARCS database is complete and includes\n   recommendations from all sources of OIG audits and reviews.\n\n3. Ensure that managers are held accountable for the tracking, resolution,\n   and timely implementation of OIG recommendations.\n\n\n\n\n                                   - 75 \xe2\x80\x93\n\x0c               STATEMENT ON COMPLIANCE WITH\n                   LAWS AND REGULATIONS\n\n       In accordance with Government Auditing Standards, we audited the\nFBI\xe2\x80\x99s implementation of OIG recommendations related to information\ntechnology. In connection with the audit, we reviewed management\nprocesses and records to obtain reasonable assurance about the FBI\xe2\x80\x99s\ncompliance with laws and regulations that if not complied with, could in our\njudgment, have a material effect on FBI operations. Compliance with laws\nand regulations applicable to the FBI\xe2\x80\x99s management of IT investments is the\nresponsibility of the FBI\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about laws and\nregulations. The specific laws and regulations against which we conducted\nour tests are contained in the relevant portions of:\n\n     \xe2\x80\xa2   the OMB Circular A-50; and\n\n     \xe2\x80\xa2   the DOJ Order 2900.6A.\n\n      Our audit identified areas where the FBI was not in compliance with\nthe laws and regulations referred to above. With respect to those\ntransactions not tested, nothing came to our attention that caused us to\nbelieve that FBI management was not in compliance with the laws and\nregulations cited above.\n\n\n\n\n                                   - 76 \xe2\x80\x93\n\x0c           STATEMENT ON MANAGEMENT CONTROLS\n\n      In planning and performing our audit of the FBI\xe2\x80\x99s implementation of\nOIG recommendations related to information technology, we considered the\nFBI\xe2\x80\x99s management controls for the purpose of determining our audit\nprocedures. This evaluation was not made for the purpose of providing\nassurance on the management control structure as a whole; however, we\nnoted certain matters that we consider to be reportable conditions under\nGovernment Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention relating\nto significant deficiencies in the design or operation of the management\ncontrol structure that, in our judgment, could adversely affect the FBI\xe2\x80\x99s\nability to track, resolve, and implement audit and investigation\nrecommendations. During our audit, we found the following management\ncontrol deficiency \xe2\x80\x94 the FBI lacked a fully established and documented\nprocess that ensures recommendations are implemented in a timely and\nconsistent manner.\n\n      Because we are not expressing an opinion on the FBI\xe2\x80\x99s management\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the FBI in managing its recommendation resolution\nand closure process.\n\n\n\n\n                                   - 77 \xe2\x80\x93\n\x0c                                                                     APPENDIX 1\n\n            OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n       The primary objective of the audit was to determine if the FBI has\nimplemented prior OIG and GAO recommendations directed toward improving\nits information technology.48\n\nScope and Methodology\n\n       The audit was performed in accordance with Government Auditing\nStandards, and included tests and procedures necessary to accomplish the\naudit objective. We conducted work at FBI Headquarters in Washington,\nD.C., and GAO Headquarters in Washington, D.C. We also visited internal\noffices within the Office of the Inspector General, specifically the Financial\nStatement Audit Office, the Computer Security and Information Technology\nAudit Office, and the Office of Oversight and Review.\n\n      To perform our audit, we conducted 27 interviews with officials from\nthe FBI, OIG, and GAO. The FBI officials interviewed were from the\nInspection Division, Information Resources Division, and National\nInfrastructure Protection Center. Additionally, we reviewed over\n100 documents, including prior GAO and OIG reports, Congressional\ntestimony, and documentation on the FBI\xe2\x80\x99s process for tracking the\nresolution of recommendations.\n\n      To determine if the FBI has implemented IT recommendations issued\nby the OIG in the last five years, we made inquiries with OIG management\nin the Audit Division, Investigations Division, Evaluation and Inspections\nDivision, and the Office of Oversight and Review to identify the applicable\nreports. Based on our inquiries, we determined that the OIG\xe2\x80\x99s detailed\ninternal control reports over the FBI\xe2\x80\x99s IT systems in support of the annual\nfinancial statement audits (fiscal years 1996 to 2001), the FY 2001 and FY\n2002 GISRA reports, and two special review reports contained\nrecommendations related to the FBI\xe2\x80\x99s information technology and\ninformation management. Based on the records and opinions of the\nOIG offices responsible for preparing the reports and interviews with FBI\n\n\n\n      48\n         We included recommendations related to document management because FBI\ndocuments are generally produced electronically or managed in automated databases and\nsystems.\n\n                                        - 78 \xe2\x80\x93\n\x0cofficials, we then analyzed and summarized the current status of the\nrecommendations.\n\n      To determine if the FBI has implemented IT recommendations issued by\nthe GAO in the last five years, we searched the GAO website for reports that\nincluded references to the FBI and information technology or information\nmanagement. From this sample, we reviewed reports to identify\nrecommendations made to the FBI that pertain to IT. Our search indicated\nthat one report contained one recommendation that met our criteria.49\nAdditionally, we made inquiries with GAO personnel to determine if they\nissued any classified reports relating to FBI IT that would not be listed on the\nwebsite. We were told by GAO personnel that no such classified reports were\nissued. From the GAO\xe2\x80\x99s website, we obtained the status of the\nrecommendation and confirmed the status through inquiries with GAO and\nFBI personnel, as well as by reviewing supporting documentation.\n\n\n\n\n      49\n           This report is discussed in Appendix 3.\n                                           - 79 \xe2\x80\x93\n\x0c                                                                         APPENDIX 2\n\n       THE FBI\xe2\x80\x99S PROGRESS TOWARD IMPLEMENTING IT\n                    RECOMMENDATIONS\n\n      To understand the full context of these recommendations, it is\nnecessary to view the associated report in its entirety. Recommendations\nthat have been repeated in subsequent reports are designated in the\nfollowing tables by having multiple years in the FY column. The FY column\nalso contains the recommendation number and a designation as to whether\nthe recommendation resulted from a material weakness (MW), reportable\ncondition (RC), or management letter comment (MLC).50\n\n1. Recommendations in the Detailed IT Reports Issued in\n   Support of the Annual FBI Financial Statement Audits\n\n Entity-Wide Security Program Planning and Management Controls:\n                     Closed Recommendations\n\n   FY(s)          Recommendation                              FBI\xe2\x80\x99s Progress\n  1998      The FBI should take steps to       The FBI hired a contractor in\n  RC#16     clearly assign, identify, and      August 1999 to complete this task. This\n            communicate information            recommendation was closed by the OIG in\n            security responsibilities. Such    October 2002 based on a review of the\n            steps should include the           corrective actions taken.\n            development of detailed\n            organizational charts, job\n            descriptions, and security\n            plans, all of which should be\n            kept current.\n  1998      Allocate sufficient resources to   The FBI hired a contractor in\n  RC#17     ensure the proper                  August 1999 to complete this task. This\n            implementation of its policy       recommendation was closed in\n            requiring all ADPT systems         October 2002 based on a review of the\n            used to process, store, or         corrective actions taken.\n            transmit classified or sensitive\n            information to be accredited\n            every three years.\n\n\n\n\n       50\n         This only applies to the recommendations from the detailed IT reports issued in\nsupport of the annual FBI financial statement audits.\n\n                                           - 80 -\n\x0c1999    Ensure that risk assessments      The FBI\xe2\x80\x99s March 2001 response to the\nMW#1    of the FBIHQ Data Center, its     recommendation stated that a contractor\n1998    other general support             was to conduct a risk assessment and revise\nRC#14   systems, and all major            the system security plan for the\n        applications are conducted as     administrative Information Support\n        required by                       Systems. This recommendation was closed\n        OMB Circular A-130, and by        by the OIG on final issuance of the FY 1999\n        the FBI\xe2\x80\x99s Manual of               report, based on a review of risk\n        Investigative Operations and      assessments provided.\n        Guidelines: FBI ADPT\n        Security Policy, Part II,\n        Section 35:8.1.3, ADPT\n        Security Policy.\n\n1999    Ensure that the systems and       The FBI\xe2\x80\x99s March 2001 response to the\nMW#3    applications are accredited       recommendation stated that the\n1998    every three years.                re-accreditation of the FBIHQ and\nRC#17                                     Clarksburg Data Centers, the FBI\n                                          LAN/Wide Area Network (WAN) and the\n                                          legacy administrative applications were\n                                          completed during June 2000. This\n                                          recommendation was closed by the OIG\n                                          upon final issuance of the FY 1999 report,\n                                          after a review of the accreditation packages.\n1999    Renew the interim                 The FBI\xe2\x80\x99s March 2001 response to the\nMW#4    accreditation for general         recommendation stated that the\n        control systems and major         re-accreditation of the FBIHQ and\n        applications and ensure these     Clarksburg Data Centers, the FBI LAN/WAN,\n        accreditations:                   and the legacy administrative applications\n        a. reflect a more accurate        were completed during June 2000. This\n        estimate of the anticipated       recommendation was closed by the OIG in\n        final accreditations, according   October 2002 based on a review of\n        to the contractor\xe2\x80\x99s planned       corrective actions taken.\n        deliverable due dates and\n        actual progress to date; and\n        b. address the increased\n        threats and vulnerabilities to\n        the FBI\xe2\x80\x99s systems,\n        applications, and connectivity,\n        which were identified during\n        penetration test work.\n\n\n\n\n                                        - 81 -\n\x0c1999     The FBI should improve       The FBI\xe2\x80\x99s March 2001 response to the\nMW#5     security and application     recommendation stated that the necessary\n1998     controls by determining      actions were completed and the FBIHQ and\nRC#18    which of its systems are     Clarksburg Data Centers, the FBI LAN/WAN,\n         classified as \xe2\x80\x9cmajor         and the legacy administrative systems were\n         applications,\xe2\x80\x9d and ensuring  re-accredited. This recommendation was\n         that for each major          closed by the OIG upon final issuance of the\n         application, including the   FY 1999 report based on a review of risk\n         Financial Management         assessment, security plans, and accreditation\n         System and Bureau            statements.\n         Personnel Management\n         System (BPMS):\n        \xe2\x80\xa2 security plans are\n            developed in accordance\n            with OMB Circular A-130,\n            implemented,\n            disseminated to systems\n            users, and periodically\n            updated, as necessary;\n        \xe2\x80\xa2 risks are assessed when\n            there is a major systems\n            modification, or, at a\n            minimum, every three\n            years; and\n        \xe2\x80\xa2 the system is accredited\n            at least every three\n            years.\n   Source: OIG analyses as of April 2003\n\n\n\n\n                                     - 82 -\n\x0c   Entity-Wide Security Program Planning and Management\n         Controls: Open Recommendations\n\n FY(s)      Recommendation                             FBI\xe2\x80\x99s Progress\n2001     Recommend that the          The FBI\xe2\x80\x99s September 2002 response to the\nMW#1     FBI Director:               recommendations stated that the current\n2000     Ensure the ADPT             certification and accreditation (C&A) effort has\nMW#1     Security Policy requiring   been addressing these requirements. In addition,\n1999     security plans are          the Education, Training, and Awareness Program\nMW#2     completed appropriately     intends to sponsor a variety of awareness\n1998     and include:                campaigns targeting the users and IT support\nRC#15    a. system specific rules    staff of the FBI mission-critical and mission\n            of behavior;             essential systems. The FBI has provided a\n         b. training; and            July 2003 estimated completion date for closure\n         c. documentation that       of these recommendations.\n            outlines the rules of\n            the system, as\n            required by OMB\n            Circular A-130 and\n            National Institute of\n            Standards and\n            Technology Special\n            Publication 800-18.\n\n2001     Ensure the Payroll        The Payroll System Security Plan is currently on\nMW#2     System Security Plan      the legacy systems\xe2\x80\x99 C&A schedule that has been\n         incorporates:             prioritized in coordination with the FBI\xe2\x80\x99s\n         a. an incident response   Designated Approving Authority and the DOJ\n            capability;            Chief Information Officer. The FBI\xe2\x80\x99s C&A process\n         b. rules of behavior;     will address all aspects of system security in the\n            and                    payroll system. The FBI has provided a July 2003\n         c. system                 estimated completion date for closure of these\n            interconnection        recommendations.\n            documentation, if\n            applicable.\n    Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 83 -\n\x0c                Access Controls: Closed Recommendations\n\n                 Recommendation                               FBI\xe2\x80\x99s Progress\n  1996/97   The FBI should consider          The FBI\xe2\x80\x99s February 1999 response to the\n  RC#2      reducing the PWEXP51             recommendation stated that no action would\n            duration from 90 days.           be taken and that that the Bureau was well\n            Further, the grace period for    within the DOJ mandate that called for\n            the expiration of user           password expiration every 180 days. Upon\n            passwords should be reduced      further review, the OIG agreed with the FBI\xe2\x80\x99s\n            to 5 days.                       position that no corrective action was\n                                             necessary. As a result, this recommendation\n                                             was closed by the OIG upon the issuance of\n                                             the FY 1996/97 final report.\n  1996/97   Set the TAPE parameter           The FBI\xe2\x80\x99s February 1999 response to the\n  RC#3      (from the FBI\xe2\x80\x99s mainframe        recommendation stated that if the Bureau\n            computer security package)       followed the recommendation, the software\n            to \xe2\x80\x9cON.\xe2\x80\x9d                         would not function properly. Upon further\n                                             review, the OIG agreed with the FBI\xe2\x80\x99s position\n                                             that no corrective action was necessary. As a\n                                             result, this recommendation was closed on\n                                             issuance of the FY 1996/97 final report.\n  1996/97   The PWVIEW parameter             The FBI\xe2\x80\x99s February 1999 response to the\n  RC#4      (from the FBI\xe2\x80\x99s mainframe        recommendation stated that the Bureau\n            computer security package)       agreed with the recommendation. This\n            should always be set to          recommendation was closed by the OIG upon\n            \xe2\x80\x9cNO.\xe2\x80\x9d If this parameter is       issuance of the FY 1996/97 final report based\n            changed, proper                  on a review of the corrective actions taken.\n            authorization should be\n            obtained from the data\n            security officer.\n\n  1996/97   Establish procedures that        The FBI\xe2\x80\x99s July 1999 response to the\n  RC#5      require new users to             recommendation provided information\n            immediately change their         demonstrating adequate corrective actions.\n            initial password. These          This recommendation was closed by the OIG in\n            procedures should be             December 1999 based on a review of the\n            distributed to the user when     corrective actions taken.\n            they are notified that access\n            has been established.\n  1996/97   The FBI should review user       The FBI\xe2\x80\x99s February 1999 response to the\n  RC#6      access to sensitive system       recommendation stated that although the\n            files. After the review, data    Bureau was performing this function, it did not\n            set access should be             have a formal process documenting these\n            modified to restrict user        reviews. This recommendation was\n            access, including READ and       subsequently closed by the OIG upon issuance\n            EXECUTE, to sensitive            of the final report based on a review of the\n            system files.                    corrective actions taken.\n\n\n\n\n      51\n        According to the OIG\xe2\x80\x99s 1996/97 report, PWEXP is a parameter from the FBI\xe2\x80\x99s\nmainframe computer security package.\n\n                                            - 84 -\n\x0c1996/97   Develop the Authorized           The FBI\xe2\x80\x99s February 1999 response to the\nRC#10     Program Facility                 recommendation stated that the Bureau\n          administrative policies and      conducted semiannual audits to ensure that\n          procedures to ensure             data sets that no longer needed to be\n          compliance with the              authorized had been removed. This\n          manufacturer\xe2\x80\x99s integrity         recommendation was closed by the OIG upon\n          rules for all its mainframe      issuance of the final report, based on a review\n          operating systems.               of the corrective actions taken.\n\n1996/97   Establish policies and           The FBI\xe2\x80\x99s February 1999 response to the\nRC#11     procedures to ensure that        recommendation stated that the FBI agreed\n          Novell users are assigned        with the recommendation and that immediate\n          unique passwords.                corrective action had been taken. This\n                                           recommendation was closed by the OIG upon\n                                           issuance of the final report based on a review\n                                           of the corrective actions taken.\n1996/97   Modify the Novell Network        The FBI\xe2\x80\x99s February 1999 response to the\nRC#12     Administrator facility to        recommendation stated that corrective action\n          prevent Finance Division         had been taken. This recommendation was\n          users from viewing other         closed by the OIG upon issuance of the final\n          users\xe2\x80\x99 access capabilities.      report based on a review of the corrective\n                                           actions taken.\n1996/97   Establish and distribute         The FBI\xe2\x80\x99s February 1999 response to the\nRC#13     procedures requiring local       recommendation stated that alternative\n          security administrators to       corrective actions were implemented. The\n          periodically, at least           recommendation was closed by the OIG upon\n          quarterly, review employees\xe2\x80\x99     the final report\xe2\x80\x99s issuance based on acceptable\n          access privileges in relation    corrective actions taken.\n          to their current job\n          functions.\n\n1996/97   Evaluate the risks of            The FBI\xe2\x80\x99s February 1999 response to the\nRC#14     retaining inactive user          recommendation stated that the user accounts\n          identifications beyond           were being removed after 180 days of\n          180 days on the system.          inactivity. This recommendation was closed\n          Modify policies and              by the OIG upon issuance of the final report\n          procedures to ensure             based on a review of the corrective actions\n          compliance.                      taken.\n\n1996/97   Develop and implement exit       The FBI\xe2\x80\x99s February 1999 response to the\nMLC#23    procedures that require the      recommendation stated that the FBI\n          local security administrator     recommended an alternative corrective action.\n          or security officer to           This recommendation was closed by the OIG\n          promptly remove user access      upon the final report\xe2\x80\x99s issuance based on a\n          for terminated employees.        review of the corrective actions taken.\n\n\n\n\n                                          - 85 -\n\x0c  1996/97   Create an electronic file that    The FBI\xe2\x80\x99s February 1999 response to the\n  MLC#24    identifies terminated and         recommendation stated that the corrective\n            transferred employees. In         action for this recommendation was completed\n            addition, continue                in October 1998. This recommendation was\n            periodically reviewing user       closed in December 1999 based on a review of\n            access profiles and               the corrective actions taken.\n            privileges.\n  1996/97   Implement appropriate             The FBI\xe2\x80\x99s February 1999 response to the\n  MLC#25    access controls in order to       recommendation stated that factual\n            operate at the B1 level of        inaccuracies existed in the recommendation.\n            trust.                            However, the recommendation was\n                                              subsequently closed by the OIG upon issuance\n                                              of the final report based on acceptable\n                                              alternative corrective action taken.\n  1996/97   Review daily reports for the      The FBI\xe2\x80\x99s February 1999 response to the\n  MLC#26    System Management Facility        recommendation stated that an alternative\n            (SMF) record 07 to ensure         corrective action was implemented. This\n            that SMF records are not          recommendation was closed by the OIG upon\n            being lost due to the             issuance of the final report based on a review\n            untimely dumping of buffer        of the corrective actions taken.\n            files to tape. Record and\n            include SMF records 17, 18,\n            and 60-69 in normal backup\n            procedures.52\n  1998      Set the MODE parameter to         The FBI\xe2\x80\x99s February 1999 response to the\n  RC#1      \xe2\x80\x9cFAIL.\xe2\x80\x9d                           recommendation stated that the testing of the\n  1996/97                                     \xe2\x80\x9cFAIL\xe2\x80\x9d global mode would be initiated to\n  RC#1                                        determine if any adverse problems surfaced\n                                              that would preclude making this a permanent\n                                              setting. This recommendation is revisited\n                                              annually by the OIG and was closed on final\n                                              issuance of the FY 1996/97 and 1998 reports\n                                              based on a review of the corrective actions\n                                              taken.\n\n\n\n\n       52\n         According to the OIG\xe2\x80\x99s FY 1996/97 report, SMF record 07 is a control function that\nshows the quantity of SMF records being lost by untimely dumping of any one of the three\nSYS1.MAN buffer files to tape. Additionally, SMF records 17 and 18 pertain to the deleting\nand renaming of data files, respectively. Also, SMF records 60 \xe2\x80\x93 69 pertain to the virtual\nstorage access method data files.\n\n\n                                             - 86 -\n\x0c  1998      Initiate, plan and execute a     The FBI\xe2\x80\x99s June 2000 response did not address\n  RC#2      project to refine the CA-Top     this recommendation. However, the\n            Secret53 profiles to support     recommendation was closed by the OIG in\n            role-based access controls       October 2002 based on a review of the\n            based upon the access            corrective actions taken.\n            required by system users to\n            complete the responsibilities\n            of assigned roles and\n            responsibilities.\n  1998      Periodically perform an          The FBI\xe2\x80\x99s June 2000 response to the\n  RC#3      entity-wide data assessment      recommendation stated that the FBI did not\n            on network systems to            agree with the recommendation. Although in\n            determine where potential        their response the FBI disagreed with the\n            liabilities exist.               finding, documentation was subsequently\n                                             provided that supported corrective actions\n                                             taken. The recommendation was closed by\n                                             the OIG upon issuance of the final report.\n  1999      Delete users that no longer      The FBI\xe2\x80\x99s March 2001 response to the\n  MW#7      require access to the            recommendations stated that the\n  1998      network or do not have a         Financial Division Systems Administrators had\n  RC#8a     demonstrated need for their      completed the recommended secure\n            access.                          networking environment changes pertaining to\n  1999      Require unique passwords         these recommendations. These\n  MW#8      for all user accounts,           recommendations were closed by the OIG\n  1998      particularly system              based upon a review of the corrective actions\n  RC#8e     administrators.                  taken.\n\n 1998       Restrict users from having\n RC#8b      concurrent logins.\n\n 1998       Enable time restrictions for\n RC#8c      user accounts.\n\n 1998       Assign account expiration for\n RC#8d      temporary user accounts.\n\n  1999      Require all system\n  MW#9      administrators to change\n  1998      their passwords at least\n  RC#8f     every 30 days.\n\n\n\n\n      53\n        According to the OIG\xe2\x80\x99s FY 1996/97 report, CA-Top Secret is the FBI\xe2\x80\x99s mainframe\ncomputer security package.\n\n                                            - 87 -\n\x0c1999      Conduct a complete audit of       The FBI\xe2\x80\x99s March 2001 response to the\nMW#11     the CA-Top Secret and FMS         recommendation stated that the FBI is\n          application security to           continuing its efforts to modify and hone the\n          identify all security control     FMS Top-Secret Security profiles to ensure the\n          weaknesses and develop a          \xe2\x80\x9cleast privilege\xe2\x80\x9d type of access is provided to\n          plan of action for                the FMS customers. This recommendation\n          implementing an effective         was closed by the OIG upon issuance of the\n          security program.                 FY 1999 final report based on a review of the\n                                            corrective actions taken.\n1999      Periodically perform an           The FBI\xe2\x80\x99s March 2001 response to the\nMW#12     entity-wide data assessment       recommendations stated that during FY 2000,\n1998      on the mainframe and              a number of actions were completed relative\nRC#4      network systems to                to the recommendations. These\n1996/97   determine where potential         recommendations were closed by the OIG\nRC#8      liabilities exist.                upon issuance of the FY 1999 final report\n                                            based on a review of the corrective actions\n1999      Initiate, plan, and execute a     taken.\nMW#13     project to refine the CA-Top\n1998      Secret profiles to support\nRC#5      role-based access controls\n1996/97   based upon the access\nRC#7      required by the systems\n          users to complete the\n          responsibilities of assigned\n          roles and responsibilities.\n1999      Consider installing \xe2\x80\x9csmart\nMW#14     card\xe2\x80\x9d technology to provide\n1998      a more robust means of\nRC#10     authentication for legitimate\n1996/97   users of the FBI systems.\nRC#9\n\n1999      Establish and implement a         FBI\xe2\x80\x99s March 2001 response to the\nMW#15     policy that prevents              recommendation stated that the Bureau had\n          employees from                    purchased commercial-off-the-shelf software\n          indiscriminately activating       and was developing a procedure to perform\n          dial-up access to FBI             \xe2\x80\x9cwar dialing\xe2\x80\x9d exercises on all FBI Private\n          systems.                          Branch Exchange lines. This recommendation\n                                            was closed by the OIG based on a review of\n                                            the corrective actions taken.\n1999      Review the Finance Division\xe2\x80\x99s     The FBI\xe2\x80\x99s March 2001 response to the\nMW#16     access privileges on the          recommendation indicated that the\n          Novell NetWare file and           Finance Division system administrators\n          directory objects to ensure       reviewed the access privileges on the\n          that only those individuals       Novell NetWare file and directory objects and\n          requiring read, write, create,    made changes to insure proper access. This\n          modify, and scan have such        recommendation was closed by the OIG upon\n          privileges.                       issuance of the FY 1999 final report based on\n                                            a review of the corrective actions taken.\n\n\n\n\n                                           - 88 -\n\x0c2000    Ensure that the Finance           The FBI\xe2\x80\x99s September 2001 response to the\nMW#5    Division Windows NT               recommendation stated that the Finance\n        configuration meets the           Division system administrators reviewed\n        criteria presented in the FBI     access privileges on the Novell NetWare file\n        Windows NT baseline               and directory objects and made changes to\n        documentation.                    insure proper access. Changes were made to\n                                          allow access to file and directory objects based\n                                          on assignment. This recommendation was\n                                          closed by the OIG upon issuance of the\n                                          FY 2000 final report based on a review of\n                                          corrective actions taken.\n2000    Ensure all shares providing       The FBI\xe2\x80\x99s June 2002 response to the\nMW#6    full access are removed. In       recommendation stated that all employees\n        addition, all Finance Division    responsible for the Division\xe2\x80\x99s servers had been\n        administrators should             properly trained and certified. The FBI also\n        receive network security          provided a list of the courses offered. This\n        training to properly ensure       recommendation was closed by the OIG in\n        that they are kept abreast of     October 2002 based on a review of corrective\n        current and proper                actions taken.\n        administrative techniques.\n2000    Ensure all user accounts          The FBI\xe2\x80\x99s June 2002 response to the\nMW#7    inactive for over 90 days are     recommendation provided information and\n        suspended and user                evidence of corrective action. This\n        accounts inactive for             recommendation was closed by the OIG in\n        180 days are deleted from         October 2002.\n        the Finance Division\xe2\x80\x99s LAN.\n2000    Ensure the current service        The FBI\xe2\x80\x99s September 2001 response to the\nMW#8    pack is installed on all          recommendation stated that a team was\n        Microsoft Windows NT              formed to ensure that proper software updates\n        environments.                     and configuration standards are maintained.\n                                          The recommendation was closed by the OIG\n                                          upon issuance of the FY 2000 final report\n                                          based on a review of corrective actions taken.\n2000    (U) Ensure the database           The FBI\xe2\x80\x99s September 2001 response to the\nMW#9    administrator Top Secret          recommendation stated that the FBI reviewed\n        Accessor Identification           the profile of the database administrator and\n        (ACID) profile is reviewed        altered the profile to provide privileges\n        and altered to ensure that        required to complete tasks. The OIG closed\n        only the least amount of          this recommendation in October 2002 based\n        privileges are granted to         on a review of the corrective actions taken.\n        complete assigned job tasks.\n2000    Ensure the removal of the         The FBI\xe2\x80\x99s September 2001 response to the\nMW#10   IBMUSER account from the          recommendation stated that this issue was\n        mainframe.                        resolved before December 2000. This\n                                          recommendation was closed by the OIG in\n                                          October 2002 based on a review of the\n                                          corrective actions taken.\n   Source: OIG analyses as April 2003\n\n\n\n\n                                         - 89 -\n\x0c               Access Controls: Open Recommendations\n\nFY(s)           Recommendation                                  FBI\xe2\x80\x99s Progress\n1998    Periodically perform an entity-wide      The FBI\xe2\x80\x99s June 2000 response to the draft\nRC#7    data assessment on network               report stated that the FBI\xe2\x80\x99s Information\n        systems to determine where               Resources Division (IRD) Server Team\n        potential liabilities exist.             installed a Gateway 8400 server to address\n                                                 this recommendation. Verification is still\n                                                 required to close this recommendation.\n1998    Develop formal procedures to             The FBI\xe2\x80\x99s June 2000 response to the draft\nRC#9    establish audit trails in the security   report stated that the FBI is taking\n        features of networks that are            corrective actions, but technical controls\n        consistent across all                    over the Finance Division LAN were not\n        divisions/departments, including         fully implemented. This recommendation\n        the activation of NetWare\xe2\x80\x99s              can be closed when annual financial\n        \xe2\x80\x9cIntruder Detection.\xe2\x80\x9d These              statement audit test work verifies that the\n        procedures should include                FBI has developed formal procedures to\n        provisions to reinforce the active       establish audit trails in the security\n        monitoring of that security              features of its networks that are consistent\n        information.                             across all divisions and departments,\n                                                 including the activation of NetWare\xe2\x80\x99s\n                                                 \xe2\x80\x9cIntruder Detection.\xe2\x80\x9d\n1998    Strengthen user authentication           The FBI\xe2\x80\x99s June 2000 response to the draft\nRC#11   controls by implementing an active       report stated that the necessary corrective\n        token for user authentication.           action had been completed. This\n                                                 recommendation can be closed when\n                                                 annual financial statement audit test work\n                                                 verifies that user authentication controls\n                                                 have been strengthened by\n                                                 implementation of an active token for user\n                                                 authentication.\n1998    Provide computer security training       The FBI\xe2\x80\x99s June 2000 response to the draft\nRC#12   to users at least annually. Training     report stated that the necessary corrective\n        should include a process for             action had been completed. This\n        reporting computer-related               recommendation can be closed when\n        incidents.                               annual financial statement audit test work\n                                                 verifies that computer security training has\n                                                 been provided to users at least annually.\n1998    Establish a computer incident            The FBI\xe2\x80\x99s June 2000 response to the draft\nRC#13   response team to manage                  report stated that the necessary corrective\n        computer related security                action had been completed. This\n        incidents.                               recommendation can be closed when\n                                                 annual financial statement audit test work\n                                                 verifies that the FBI has established a\n                                                 computer incident response team for\n                                                 managing computer related security\n                                                 incidents.\n\n\n\n\n                                         - 90 -\n\x0c2000       Ensure all accounts have strong     The FBI\xe2\x80\x99s March 2001 response to the\nMW#4       passwords.                          recommendation stated that a new policy\n1999                                           was created requiring unique passwords,\nMW#17,18                                       and those passwords had to be changed\n                                               every 90 days. The OIG\xe2\x80\x99s October 2002\n                                               response to the FBI stated that this\n                                               recommendation remains open until it\n                                               can be verified that strong password\n                                               controls are in place and the FBI has\n                                               established a policy requiring a unique\n                                               password and each user account is\n                                               periodically reviewed for compliance.\n1999       Ensure that the Finance             The FBI\xe2\x80\x99s March 2001 response to the\nMW#19      Division\xe2\x80\x99s LAN administrators       recommendation stated that the Finance\n           check their Novell NetWare          Division system administrators enabled\n           configuration against the           auditing on all volumes with the\n           parameters in the FBI Novell        exception of CD-ROM volumes. The\n           NetWare Baseline Documentation      FBI\xe2\x80\x99s response dated June 2002 stated\n           and ensure it agrees with the       that all Finance Division servers had\n           recommended FBI MIOG, and FBI       been upgraded and configured to meet\n           ADPT Security Policy                current security guidelines and that\n           configuration settings.             auditing has been enabled on all\n                                               volumes. The OIG\xe2\x80\x99s response dated\n                                               October 2002 stated that this\n                                               recommendation can be closed when\n                                               annual financial statement audit test\n                                               work verifies that auditing is enabled as\n                                               required.\n2001       Ensure compliance with              According to OIG correspondence to the\nMW#3       documented policies and             FBI, these recommendations can be\n2000       procedures as they pertain to       closed when annual financial statement\nMW#2       account restrictions, system        audit test work verifies the FBI\xe2\x80\x99s Trilogy\n1999       monitoring, and data                upgrades, scheduled for February 2003,\nMW#6       confidentiality for the FBI\xe2\x80\x99s       include automated systems for\n1998       information technology              monitoring server configurations to\nRC#6       environments.                       ensure that settings that affect policies\n                                               and procedures are not changed\n                                               accidentally.\n2001       Enable the auditing function on     According to OIG correspondence to the\nMW#4       the Finance Division\xe2\x80\x99s Netware      FBI, this recommendation can be closed\n2000       environment.                        when annual financial statement audit\nMW#3                                           work verifies that auditing is enabled on\n1999                                           all volumes and objects on the Finance\nMW#10                                          Division\xe2\x80\x99s LAN.\n1998\nRC#8g\n\n\n\n\n                                      - 91 -\n\x0c2001   Continue developing the database     The FBI\xe2\x80\x99s September 2002 response to the\nMW#5   programmer profile to ensure the     recommendation stated that the Unit\n       database staff are only granted      Chiefs of the Systems Programming and\n       the access needed to perform their   Integration Unit (SPIU) and the Data\n       job tasks. Additionally, we          Management Unit had agreed to a\n       recommend the systems                restructuring of functions for staff in both\n       programmer ACID not access the       units. A transition plan to implement this\n       \xe2\x80\x9cPAY.* datasets.\xe2\x80\x9d                    restructure had been finalized.\n                                            Additionally, Systems Security and Access\n                                            Unit staff were in the process of\n                                            implementing separate security profiles for\n                                            SPIU and Data Management Unit staff\n                                            based on the access levels agreed to by\n                                            the Unit Chiefs of each unit. Further,\n                                            Systems Security and Access Unit staff had\n                                            removed access to the \xe2\x80\x9cPAY.* datasets\xe2\x80\x9d for\n                                            the systems programmer ACID in question.\n  Source: OIG analyses of April 2003\n\n\n\n\n                                     - 92 -\n\x0c     Application Software Development and Change Controls:\n                     Closed Recommendations\n\n FY(s)        Recommendation                            FBI\xe2\x80\x99s Progress\n1996/97   Develop and maintain a       The FBI\xe2\x80\x99s February 1999 response to the\nMLC#28    configuration                recommendation stated that although the FBI\n          management process           had developed the Architecture Change\n          addressing changes to        Management Rules, Standards, and Procedures\n          overall ADPT resources.      Version 1.0 document, the implementation was\n          Configuration changes        still ongoing. The ongoing status was also\n          should be reviewed,          repeated in the FBI\xe2\x80\x99s response dated July 1999.\n          approved, tested,            The recommendation was closed by the OIG in\n          evaluated, and               October 2002 based on a review of corrective\n          documented to show the       actions taken.\n          impact on computer and\n          telecommunications\n          security features.\n1996/97   Expedite the                 The FBI\xe2\x80\x99s February 1999 response to the\nMLC#29    implementation of the        recommendation stated that although the Bureau\n          ACM methodology entity-      developed ACM procedures and incorporated the\n          wide. Remove write           LAN management into the ACM Rules, Standards\n          access privilege from the    and Procedures, the status of the corrective\n          profile of an individual     action was still ongoing. This recommendation\n          who does not require that    was closed by the OIG in October 2002 based on\n          type of access.              a review of corrective actions taken.\n1996/97   The SPIU should develop      The FBI\xe2\x80\x99s February 1999 response to the\nMLC#31    and implement                recommendation stated that the SPIU Unit Chief\n          procedures to ensure all     would draft a policy mandating the entering of all\n          system problems are          system problems into NetMan and that this policy\n          entered into NetMan.         would be effective by March 1999. This\n                                       recommendation was closed in December 1999\n                                       by the OIG based on a review of the corrective\n                                       actions taken.\n2000      Ensure the IRD enhances      The FBI\xe2\x80\x99s September 2001 response to the\nMW#17     the ACM document to          recommendation stated that FBI management\n1999      comprehensively address      did not totally agree with the recommendation.\nRC#36     any type of change to the    However, the QCMU had developed an action\n1996/97   computer based               plan to ensure all IRD software development and\nRC#17     application system and its   maintenance projects complied with change\n          environment, including       management policies and procedures by an\n          changes to hardware,         estimated completion date of September 2001.\n          software, and firmware.      This recommendation was closed by the OIG in\n          Once the enhancements        October 2002 based on a review of the corrective\n          are made, ensure the         actions taken.\n          FMS program owners\n          consistently apply the\n          policy to establish a\n          division-wide commitment\n          to software maintenance.\n\n\n\n\n                                       - 93 -\n\x0c2001     a. Ensure that the            The FBI\xe2\x80\x99s September 2001 response to the\nMW#6     methodology set forth         recommendation stated that the QCMU\n2000     within the ACM is             developed an action plan to ensure all IRD\nMW#19    consistently applied to the   software development and maintenance projects\n         FMS application. All          complied with change management policies and\n         changes should be             procedures. The recommendation was closed in\n         documented in the             October 2002 based on a review of the corrective\n         Service Center software.      actions taken.\n\n         b. Implement the unit\n         test and system plans\n         throughout IRD to\n         standardize, control, and\n         document changes made\n         to the application and\n         system software. The\n         use of the Service Center\n         software to track all\n         change requests, from\n         initiation through final\n         disposition, should be\n         enforced with the planned\n         compliance audits\n         throughout IRD.\n\n2000     Enforce emergency             The FBI\xe2\x80\x99s September 2001 response to the FY\nMW#18    change procedures stated      2000 recommendation stated that the\n1999     within the ACM for            IRD Payroll Application Project Manager had been\nRC#44    applications. At a            advised that he must follow the ACM Procedures\n         minimum, the emergency        defined in the IRD and that all emergency\n         change procedures should      changes need to be entered in the Service\n         be documented after the       Center Management tool. The FY 2000\n         fact and should specify:      recommendation was closed by the OIG upon\n         \xe2\x80\xa2    when emergency           final issuance of the FY 2000 report and the OIG\n              software changes are     followed-up on this recommendation through its\n              warranted;               monitoring of the status of the FY 1999 report.\n         \xe2\x80\xa2    who may authorize        The FY 1999 recommendation was subsequently\n              emergency changes;       closed by the OIG in October 2002 based on a\n         \xe2\x80\xa2    how emergency            review of corrective actions taken.\n              changes are to be\n              documented; and\n         \xe2\x80\xa2    within what period\n              after implementation\n              the change must be\n              tested and approved.\n   Source: OIG analyses as of April    2003\n\n\n\n\n                                        - 94 -\n\x0c     Application Software Development and Change Controls:\n                     Open Recommendations\n\n FY(s)            Recommendation                            FBI\xe2\x80\x99s Progress\n1996/97   Develop and implement a policy       The FBI\xe2\x80\x99s February 1999 response\nMLC#30    requiring periodic independent       stated that the QCMU was formed to\n          reviews of all major systems         address this recommendation. The\n          development activities at each       quality control function of QCMU is\n          major activity milestone. The        responsible for performing reviews of all\n          policy should specify the scope,     phases of the system development life-\n          timing, and format for reporting     cycle. According to FBI correspondence\n          the results.                         to the OIG (with the most recent dated\n                                               June 2002), the QCMU is currently in\n                                               the process of obtaining contract\n                                               services to assist in the development of\n                                               a Common Software Process. The\n                                               QCMU will develop and perform audits\n                                               to ensure that projects are in\n                                               compliance with the Project\n                                               Management Process.\n2000      Implement an automated               The FBI\xe2\x80\x99s September 2001 response to\nMW#16     software management system in        the recommendation stated that a\n1999      order to automate the transfer of    software library management system is\nRC#35     all program source code, object      needed to control the movement of\n1998      code, executable code,               software components between\nRC#21     interpretable code, control          environments. However, the purchase\n1996/97   information, and the associated      of the software system was not planned\nRC#18     documentation to run a system.       until December 31, 2001. The OIG\n                                               responded by stating that this\n                                               recommendation can be closed when it\n                                               can verify that an automated software\n                                               management system is implemented.\n    Source: OIG analyses as of April 2003\n\n\n\n\n                                      - 95 -\n\x0c      System Software Controls: Closed Recommendations\n\n FY(s)            Recommendation                                FBI\xe2\x80\x99s Progress\n1996/97   Perform an analysis to determine         The FBI\xe2\x80\x99s February 1999 response to the\nMLC#33    which libraries and associated           recommendation stated that the Bureau\n          members are necessary for proper         agreed with the recommendation. This\n          system performance. A periodic           recommendation was subsequently\n          assessment should be performed           closed by the OIG upon issuance of the\n          on the Multiple Virtual Storage          final report based on a review of the\n          operating system to archive and/or       corrective actions taken.\n          delete data sets no longer needed\n          or being used.\n1996/97   The SPIU should implement                The FBI\xe2\x80\x99s February 1999 response to the\nMLC#34    procedures to ensure that all            recommendation stated that the SPIU\n          system documentation is current          has implemented Change Management\n          and complete and that changes to         to comply with the recommendation.\n          documentation are reflected timely       This recommendation was closed by the\n          and disseminated to applicable           OIG upon issuance of the final report\n          individuals.                             based on a review of the corrective\n                                                   actions taken.\n1996/97   Conduct the following reviews at         The FBI\xe2\x80\x99s February 1999 response to the\nMLC#35    least quarterly: compare system          recommendation stated that the FBI has\n          programmer access privileges per         put an alternate corrective action plan in\n          the applicable security software to      place because the recommendation was\n          the employee\xe2\x80\x99s current job               not workable with the current SPIU\n          functions, and adjust accordingly;       personnel resources. The\n          and, determine system                    recommendation was subsequently\n          programmer\xe2\x80\x99s use of sensitive            closed by the OIG upon the issuance of\n          utilities and reasonableness.            the final report based on a review of\n                                                   alternative corrective action taken.\n1996/97   The SPIU should develop and              The FBI\xe2\x80\x99s February 1999 response to the\nMLC#36    implement a system software              recommendation stated that the FBI\n          control policy to ensure that            would implement the recommended\n          system software is current.              policy regarding system software control\n                                                   by the estimated completion date of\n                                                   March 1999. Additionally, the FBI\n                                                   stated that as of January 1999, all\n                                                   systems executing mission-critical\n                                                   applications had been upgraded. This\n                                                   recommendation was closed by the OIG\n                                                   on issuance of the final report based on\n                                                   a review of the corrective actions taken.\n\n\n\n\n                                          - 96 -\n\x0c2000      Configure the operating system        The FBI\xe2\x80\x99s September 2001 response to\nMW#11     parameters to log all the             the recommendation stated that the\n          associated transactions for the       Bureau employed an alternative method\n          respective SMF records.               that complied with the applicable\n                                                regulations. The recommendation was\n                                                closed in October 2002 by the OIG\n                                                based on a review of the alternative\n                                                corrective action taken.\n2000      Establish and implement a formal      The FBI\xe2\x80\x99s September 2001 response to\nMW#12     change control process for changes    the recommendation stated that the FBI\n          to Supervisor Calls and Programs      established and implemented an internal\n          Property Tables programs.             change management methodology and\n                                                process for changes to Supervisor Calls,\n                                                while a similar process would soon be\n                                                completed for\n                                                Programs Property Tables programs.\n                                                The recommendation was closed by the\n                                                OIG in October 2002 based on a review\n                                                of the corrective actions taken.\n1999     Establish and implement a formal       The FBI\xe2\x80\x99s March 2001 response to the\nRC#35    change control process for changes     recommendation stated that the SPIU\n1998     to system software. The policies       developed an internal change\nMLC#21   and procedures should include:         management methodology and process\n1996/97  \xe2\x80\xa2 documented justification for         to complement the architecture change\nRC#18        making the change or utilizing     management rules, standards, and\n             sensitive utilities and            procedures. In March 2000, this new\n             management approval; and           process was presented to all SPIU\n         \xe2\x80\xa2 periodic inspections,                personnel. The recommendation was\n             investigations of unusual          closed by the OIG in October 2002\n             activities, and recommended        based on a review of the corrective\n             actions in the event these         actions taken.\n             activities occur.\n    Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 97 -\n\x0c   Segregation of Duty Controls: Closed Recommendations\n\n FY(s)       Recommendation                             FBI\xe2\x80\x99s Progress\n1996/97   The IRD management           The FBI\xe2\x80\x99s February 1999 response to the\nMLC#37    should assess the need       recommendation stated that the FBI created a\n          for additional personnel     new unit that would address this\n          at the staff level within    recommendation. This recommendation was\n          the data security            closed by the OIG upon issuance of the final\n          administrative function.     report based on a review of the corrective actions\n                                       taken.\n1996/97   The IRD should perform       The FBI\xe2\x80\x99s February 1999 response to the\nMLC#38    an analysis of the           recommendation stated that the FBI created a\n          potential benefits of        new unit that would address this\n          applying business            recommendation. The recommendation was\n          process re-engineering       closed by the OIG in December 1999 based on a\n          and/or activity-based        review of the corrective actions taken.\n          costing processes to\n          current operations in\n          order to enhance\n          effectiveness, efficiency,\n          and productivity.\n2001      Ensure application           The FBI\xe2\x80\x99s September 2002 response to the\nMW#8      administrators and           recommendation stated that due to the limited\n2000      programmers do not           resources on projects, application programmers\nMW#21     have direct update           required update access to the production\n          access to both test and      environment. Additionally, as of\n          production application       August 2002, 97 of 152 libraries had been\n          programs.                    completed. Further, both the PMA and\n                                       Payroll Applications (addressed in the finding) had\n                                       been restricted. This recommendation was closed\n                                       in October 2002 based on a review of the\n                                       corrective actions taken.\n\n\n\n\n                                        - 98 -\n\x0c2001     Establish guidance,        The FBI\xe2\x80\x99s September 2002 response to the\nMW#7     policies, procedures, and  recommendation stated that a goal of the FBI\xe2\x80\x99s\n2000     awareness of               new Security Division was to develop a\nMW#20    segregation of duties      professional information security cadre. The role\n         within the divisions and   of the Information System Security Officer was\n         units.                     under development. A coordinated effort was\n                                    also underway to define the security knowledge\n                                    and skills required by the Information\n                                    System Security Officer role based upon the best\n                                    practices of Industry and the Intelligence\n                                    Community. The above-described Security\n                                    Training, Education and Awareness Program was\n                                    to assist in ensuring that the appropriate type and\n                                    level of security knowledge is built into courses\n                                    and curriculum for the Information System\n                                    Security Officer as well as each function FBI role.\n                                    This recommendation was closed during the\n                                    FY 2002 Financial Statement Audit based on a\n                                    review of the corrective actions taken.\n   Source: OIG analyses as of April 2003\n\n\n\n\n                                      - 99 -\n\x0c     Segregation of Duty Controls: Open Recommendations\n\n FY(s)      Recommendation                             FBI\xe2\x80\x99s Progress\n2001     Ensure that the              The FBI\xe2\x80\x99s September 2002 response to the\nMW#9     administrative process       recommendation stated that the Payroll\n         surrounding the payroll-     Administration and Processing Unit, and the\n         related functions is         Staffing Unit would document payroll related\n         documented and               functions and administrative procedures to ensure\n         maintained to ensure         consistent application by the staff of the two\n         the consistent               units. The documentation was to include\n         application of the           operating manuals setting forth the procedures\n         payroll-related              for processing each of the payroll related\n         administrative process       functions. The FBI provided an estimated\n         in the Payroll               completion date for this recommendation of\n         Administration and           September 2002.\n         Processing Unit and\n         Personnel Staffing Unit.\n   Source: OIG analyses as of April   2003\n\n\n\n\n                                      - 100 -\n\x0c      Service Continuity Controls: Closed Recommendations\n\n FY(s)           Recommendation                              FBI\xe2\x80\x99s Progress\n1996/97   Develop procedures to ensure       The FBI\xe2\x80\x99s February 1999 response to the\nMLC#21    that daily back-up tapes are       recommendation cited a 3-phase\n          stored in a fireproof vault that   implementation process allowing the FBIHQ\n          is secure and not located          Data Center to store the weekly backups\n          within the immediate Data          from each of its two facilities online. This\n          Center to prevent the loss of      recommendation was closed by the OIG\n          up to nine days of electronic      upon issuance of the final report based on a\n          transactions.                      review of the corrective actions taken.\n1996/97   Keep the daily backup tapes in     The FBI\xe2\x80\x99s February 1999 response to the\nMLC#22    a fire rated safe if they are      recommendation stated that the Bureau had\n          located within each division       taken corrective action to ensure LAN server\n          and at the designated off-site     backups were performed on a regular basis\n          location to facilitate recovery    and secured accordingly. This\n          in the event of a disaster         recommendation was closed by the OIG\n          affecting access to FBIHQ.         upon the final report\xe2\x80\x99s issuance based on a\n                                             review of the corrective actions taken.\n1999      Continue plans to develop a        The FBI\xe2\x80\x99s March 2001 response to the\nMW#20     comprehensive contingency          recommendations stated that as part of its\n1998      plan that provides an entity-      corrective action, the FBI entered into a\nRC#20b    wide approach for the              contract for the development of a continuity\n1996/97   recovery of mission-critical       of operations report (COOP) and a concept\nRC#15     data processing operation in       of operations report (CONOP). The CONOP\n          the event of a disaster,           is for the development of an FBIHQ COOP\n          including all FBI resources and    support system designed to provide critical,\n          business processes. The plan       uninterrupted FBIHQ support should a\n          should provide detailed            terrorist act, natural disaster, or major\n          procedures for the recovery of     accident deny use or access to the FBIHQ\n          computer operations, including     or its resources. The COOP was scheduled\n          mainframes, microcomputers,        for completion in April 2000. These\n          workstations, networks and         recommendations were closed upon the\n          telecommunications,                issuance of the FY 1999 final report based on\n          hardware, and facilities.          a review of the corrective actions taken.\n1999      Assign responsibility to a team\nMW#21     of individuals to ensure full\n          back-up and recovery is\n          performed.\n\n1999      Periodically test the\nMW#22     comprehensive plan,\n1998      document the test results, and\nRC#20b    update the plan as necessary.\n1996/97\nRC#16\n\n\n\n\n                                       - 101 -\n\x0c1999    Design and implement tests of      The FBI\xe2\x80\x99s March 2001 response to the\nMW#25   the current disaster recovery      recommendation stated that the Data Center\n        plan to ensure that it works       Contingency Plan was last updated on\n        and restoration of services        February 2001, and is revised semiannually\n        occurs in a time frame which       in accordance with Federal Information\n        is consistent with the             Processing Standards (FIPS) Publication\n        expectations of FBI                No. 87, ADP Contingency Planning\n        management. Testing should         Guidelines. The OIG responded by stating\n        occur not less than annually       that the recommendation can be closed\n        and include but not be limited     when annual financial statement audit test\n        to the following components:       work verifies that management has designed\n        \xe2\x80\xa2 supervision by a disaster        and implemented tests of the current\n          recovery coordinator;            disaster recovery plan. This\n        \xe2\x80\xa2 variation in disaster recovery   recommendation was closed by the OIG in\n          coordinator;                     October 2002 based on a review of the\n        \xe2\x80\xa2 utilization of multiple teams;   corrective actions taken.\n        \xe2\x80\xa2 stated objectives;\n        \xe2\x80\xa2 debriefing sessions; and\n        \xe2\x80\xa2 retention of adequate\n          documentation.\n\n\n\n\n1999    Ensure that the FBI or co-         The FBI\xe2\x80\x99s March 2001 response to the\nMW#26   located DOJ disaster recovery      recommendation stated that implementation\n        facility has full back-up          of the IBM Capacity Backup feature ensures\n        capacity.                          that each disaster recovery facility has full\n                                           backup capacity. The OIG responded by\n                                           stating that the recommendation can be\n                                           closed when annual financial statement audit\n                                           test work verifies that the FBI or co-located\n                                           DOJ disaster recovery facility has full back-\n                                           up capacity. This recommendation was\n                                           closed by the OIG in October 2002 based on\n                                           a review of the corrective actions taken.\n1999    Ensure all data center             The FBI\xe2\x80\x99s March 2001 response to the\nMW#32   personnel are informed when        recommendation stated that Data Center\n        the ADPT contingency plan has      Unit employees had been briefed on\n        been completed and approved        emergency procedures and responsibilities\n        and that employees have            through hands-on training and by\n        access to the plan.                distributing written policies and procedures.\n                                           The recommendation was closed by the OIG\n                                           upon issuance of the FY 1999 final report\n                                           based on a review of the corrective actions\n                                           taken.\n\n\n\n\n                                     - 102 -\n\x0c1999    Develop entity-wide policies       The FBI\xe2\x80\x99s March 2001 response to the\nMW#33   and procedures for performing      recommendation stated that Application\n        back-ups, which include:           Project Managers are responsible for\n        \xe2\x80\xa2 the required frequency           determining the backup frequency and\n            with which files should be     retention periods as documented in the\n            backed-up;                     FBIHQ Computer Center User Reference\n        \xe2\x80\xa2 off-site rotation policies;      Manual. This recommendation was closed by\n        \xe2\x80\xa2 retention policies;              the OIG upon issuance of the FY 1999 final\n        \xe2\x80\xa2 monitoring to ensure that        report based on a review of the corrective\n            back-ups are complete;         actions taken.\n            and\n        \xe2\x80\xa2 definition of roles and\n            responsibilities.\n2000    Include test scenarios and test    The FBI\xe2\x80\x99s September 2001 response to the\nMW#13   plans, as suggested by FIPS        recommendation stated that the\n1999    Publication No. 87, in the FBI\xe2\x80\x99s   Data Center Contingency Plan was last\nMW#28   Headquarters Data Center           updated in February 2001 and that the plan\n        Contingency Plan.                  had been finalized and copies were\n        Specifically:                      maintained off-site and were disseminated.\n        \xe2\x80\xa2 identify test scenarios for      This recommendation was closed by the OIG\n            emergency procedures and       in October 2002 based on a review of the\n            disaster recovery, and         corrective actions taken.\n        \xe2\x80\xa2 establish processing\n            priorities in the event of a\n            disaster.\n\n\n\n\n                                    - 103 -\n\x0c         Test the contingency plan.        The FY 2000 recommendation was closed by\n                                           the OIG upon final issuance of the\n                                           FY 2000 final report.\n\n2000     \xe2\x80\xa2   Prepare and maintain a        \xe2\x80\xa2    The OIG followed up on this\nMW#14a       long-term schedule of the          recommendation through its monitoring\n1999         planned semiannual tests           of the status of the FY 1999 report. The\nMW#27        to ensure all critical             FY 1999 recommendation was\n             functions covered by the           subsequently closed by the OIG in\n             Business Recovery Plan are         October 2002 based on a review of\n             tested every one to two            corrective actions taken.\n             years, whenever significant\n             changes to the plan have\n             been made, or when there\n             is turnover of key people\n             involved in disaster\n             recovery.\n\n2000     \xe2\x80\xa2   Test a number of different    \xe2\x80\xa2    The OIG followed up on this\nMW#14b       scenarios while conducting         recommendation through its monitoring\n1999         semiannual tests.                  of the status of the FY 1999 report. The\nMW#28                                           FY 1999 recommendation was\n                                                subsequently closed by the OIG in\n                                                October 2002 based on a review of\n                                                corrective actions taken.\n\n2000     \xe2\x80\xa2   Conduct a full test two to    \xe2\x80\xa2    The OIG followed up on this\nMW#14c       three years to ensure the          recommendation through its monitoring\n1999         viability of the disaster          of the status of the FY 1999 report. The\nMW#29        recovery plan.                     FY 1999 recommendation was\n                                                subsequently closed by the OIG in\n                                                October 2002 based on a review of\n                                                corrective actions taken.\n\n2000     \xe2\x80\xa2   Finalize the plan and         \xe2\x80\xa2    This recommendation was closed by the\nMW#14d       maintain copies at an off-         OIG upon final issuance of the FY 2000\n1999         site location.                     report based on a review of corrective\nMW#24                                           actions taken.\n\n\n\n\n                                      - 104 -\n\x0c2000    Brief Data Center               The FBI\xe2\x80\x99s September 2001 response to the\nMW#15   personnel on emergency          recommendation stated that the Data Center Unit\n1999    procedures and                  employees have been briefed on emergency\nMW#31   responsibilities through        procedures and responsibilities through hands on\n        training sessions and by        training and by distributing written policies and\n        distributing written policies   procedures. This recommendation was closed by\n        and procedures. Training        the OIG in October 2002 based on a review of the\n        sessions should be held at      corrective actions taken.\n        least once a year and\n        whenever changes to\n        emergency plans are\n        made.\n\n   Source: OIG analyses as of April 2003\n\n\n\n\n                                        - 105 -\n\x0c         Service Continuity Controls: Open Recommendations\n\n FY(s)      Recommendation                          FBI\xe2\x80\x99s Progress\n1999       Continue to update   The FBI\xe2\x80\x99s March 2001 response to the\nMW#23      the ADPT             recommendation stated that the Data Center\n           contingency plan,    Contingency Plan was last updated on February 2001,\n           addressing the       and is revised semiannually in accordance with\n           weaknesses           FIPS Publication No. 87, ADP Contingency Planning\n           identified and using Guidelines. The OIG responded by stating that the\n           FIPS Publication No. recommendation can be closed when annual financial\n           87, ADP              statement audit test work verifies that management\n           Contingency          has acquired the IBM Capacity Backup feature and\n           Planning guidelines. test plan scenarios have been developed in\n                                accordance with FIPS Publication No. 87, Guidelines\n                                for ADP Contingency Planning. The FBI\xe2\x80\x99s June 2002\n                                response stated that the mainframe was running at\n                                60 percent capacity. The OIG\xe2\x80\x99s response dated\n                                October 2002 stated that this recommendation can be\n                                closed when annual financial statement audit test\n                                work verifies that the production test exercise\n                                involving transfer of production operations\n                                applications to their back-up site has been completed.\n                                This exercise was scheduled for November 2002.\n2000      Ensure the Finance    The FY 2000 recommendation was closed by the OIG\nMW#14e Division has             upon final issuance of the FY 2000 final report. The\n1999      developed and         OIG followed up on this recommendation through its\nMW#30     distributed to end-   monitoring of the status of the FY 1999 report. The\n          users, a contingency FBI\xe2\x80\x99s September 2001 response to the\n          plan covering its     recommendation stated that the plan has been\n          information           finalized and that copies are maintained at the off-site\n          technology            location and disseminated to appropriate personnel.\n          applications. The     The OIG responded by stating that this\n          plan should be        recommendation can be closed when annual financial\n          consistent with the   statement audit test work verifies that the Finance\n          ADPT Contingency      Division has developed and distributed to end-users a\n          Plan maintained by    contingency plan covering its information technology\n          the FBIHQ Data        applications. The FBI\xe2\x80\x99s June 2002 response stated\n          Center.               that the completion date for all contingency plans was\n                                July 2002.\n    Source: OIG Analyses as of April 2003\n\n\n\n\n                                       - 106 -\n\x0c           Application Controls: Closed Recommendations\n\n FY(s)      Recommendation                             FBI\xe2\x80\x99s Progress\n1998     Evaluate FMS security       The FBI\xe2\x80\x99s June 2000 response to the\nRC#19    features to determine if    recommendation stated that that the\n         control over application    System Security Access Unit generates a\n         transactions can be         FMS CA-Top Secret profile file on a weekly basis for\n         more effectively            review by the FMS staff. This recommendation was\n         managed by CA-Top           closed by the OIG in October 2002 based on a\n         Secret.                     review of the corrective actions taken.\n1999     Review the budgetary        The FBI\xe2\x80\x99s March 2001 response to the\nMW#34    module of the FMS,          recommendation stated that the FMS software\n         determine the cause of      vendor was notified and, after a review of the test\n         the application security    data, provided the FBI with a software resolution.\n         weakness allowing for       The software resolution was successfully tested and\n         the transfer of funds       implemented into the production FMS in\n         beyond the authorized       March 2000. This recommendation was closed by\n         balance, and take the       the OIG upon issuance of the FY 1999 final report\n         appropriate measures to     based on a review of the corrective actions taken.\n         ensure adequate\n         controls are in place.\n1999     Define, document, and       The FBI\xe2\x80\x99s March 2001 response to the\nRC#37    communicate the roles       recommendations stated that the IRD has limited\n         and responsibilities for    the number of programmers who can move code to\n         changing code to the        the production environment. Limiting the number of\n         Payroll Application.        programmers minimizes the risk for unauthorized\n1999     Review the list of users    access to the production environment. These\nRC#38    having access to the        recommendations were closed by the OIG upon\n         Payroll application code,   issuance of the FY 1999 final report based on a\n         determine which users       review of the corrective actions taken.\n         should not be making\n         changes in accordance\n         with their duties and\n         responsibilities, and\n         revoke access to users\n         who should not be\n         making changes.\n1999     Ensure that user access\nRC#39    to payroll code is\n         authorized, documented,\n         and periodically\n         reviewed.\n\n\n\n\n                                       - 107 -\n\x0c1999    Establish a new Payroll      The FBI\xe2\x80\x99s March 2001 response to the\nRC#40   test and development         recommendations stated that the IRD has created\n        environment.                 a separate test environment for the\n1999    Establish a separate test    Payroll Application. This environment mimics the\nRC#41   environment for              production environment and permits the\n        developing and/or            programmers to perform complete tests on all\n        modifying application        changes. When all parties involved are satisfied,\n        changes.                     the changes are moved to the production\n1999    Periodically review and      environment. These recommendations were\nRC#42   modify the new test          closed by the OIG upon issuance of the FY 1999\n        environment.                 final report based on a review of the corrective\n1999    Adhere to the FBI\xe2\x80\x99s          actions taken.\nRC#43   change management\n        processes for applications\n        and system software once\n        formal processes have\n        been developed.\n2000    Perform an assessment of   The FBI\xe2\x80\x99s September 2001 response to the\nRC#22   financial data to ensure   recommendation stated that the FMS software\n        the issue has not          vendor was made aware of the problem and\n        impacted the               provided the FBI a software resolution which was\n        FY 2000 Financial          tested and implemented into the production FMS in\n        Statements.                March 2000. This recommendation was closed by\n                                   the OIG in October 2002 based on an assessment\n                                   of the financial data in the FY 2000 financial\n                                   statements.\n   Source: OIG analyses as of April 2003\n\n\n\n\n                                      - 108 -\n\x0c            Application Controls: Open Recommendations\n\n FY(s)      Recommendation                               FBI\xe2\x80\x99s Progress\n2000     Coordinate with the          The FBI\xe2\x80\x99s September 2001 response to the\nRC#23    General Services             recommendation stated that the Finance Division\n         Administration to            had not made a request to have the process looked\n         synchronize file formats     into or to change the file format. The OIG\n         so that data sent via        responded by stating that the recommendation\n         Simplified                   could be closed when it verifies that the file formats\n         Intergovernmental            are synchronized so data can be sent via Simplified\n         Buying and Collection        Intergovernmental Buying and Collection to\n         will correctly interface     correctly interface with the FMS application.\n         with the FMS application.    Additionally, in October 2002, the OIG\xe2\x80\x99s updated\n                                      response stated that the recommendation could be\n                                      closed when annual financial statement audit test\n                                      work verifies that the Intra-governmental Payment\n                                      and Collection System is in place and manual data\n                                      entry obligations and expenses are effective.\n2000     Ensure the FPDS screen       The FBI\xe2\x80\x99s September 2001 response to the\nRC#24    is modified to include all   recommendation stated that the Property\n         the fields required for      Procurement and Management Section was\n         accurate procurement         submitting a request detailing the specific fields that\n         reporting.                   need to be added. The OIG responded by stating\n                                      that this recommendation can be closed when\n                                      annual financial statement audit test work verifies\n                                      that the corrective action was completed.\n2000     Currently there is no        The FBI\xe2\x80\x99s September 2001 response to the\nRC#25    restriction in place to      recommendation stated that the software vendor\n         prevent operators from       had been requested to make enhancements so that\n         selecting any valid field    the FMS will subsequently ensure the appropriate\n         identification or buyer      enhancements are incorporated. The OIG\xe2\x80\x99s most\n         identification. Continue     recent response dated October 2002 stated that the\n         to pursue actions            recommendation can be closed pending verification\n         initiated to correct this    of corrective action.\n         problem as soon as\n         possible.\n2001     Remove the additional        The FBI\xe2\x80\x99s September 2002 response to the\nMW#10    access capability from       recommendation stated that the Financial Systems\n         any PMA user not             Unit cost code 0448 is charged with the\n         authorized or required to    responsibility of providing technical support for the\n         have the additional          PMA to include software development and\n         access to complete their     maintenance, quality assurance, ad-hoc reporting,\n         job function.                physical inventory support, responsiveness to\n                                      oversight inquiries, and troubleshooting calls. Due\n                                      to the nature of PMA activity, Financial Systems Unit\n                                      management has designated that up to six\n                                      employees in 0448 should have global access to\n                                      PMA reporting. In support of this, the Financial\n                                      Systems Unit will replace 0448 references with\n                                      software embedded accessor identifications. The\n                                      OIG responded by stating that this recommendation\n                                      can be closed upon verification of corrective action.\n\n\n                                        - 109 -\n\x0c2001   Develop and implement      The FBI\xe2\x80\x99s September 2002 response to the\nMW#11  a plan to ensure:          recommendation stated that the Unit Chief of the\n       a. input control           Property Management Unit will request that the\n           weaknesses             programmers assigned to the Financial Systems Unit\n           identified in the PMA  modify the PMA to require users to verify the\n           are appropriately      barcode number and the serial number before\n           addressed, and         property is entered into the PMA. In addition, the\n       b. the risk associated     PMU will contact the Firearms Training Unit and the\n           with the processing    Firearms-Toolmarks Unit to request that they begin\n           control weaknesses     reviewing the firearms and firearm accessories data\n           in the PMA are         maintained on the PMA.\n           mitigated to ensure\n           that all property is\n           entered, and\n           purchase order and\n           property numbers\n           are accounted for.\n   Source: OIG analyses as of April 2003\n\n\n\n\n                                    - 110 -\n\x0c   Other Financial-Related IT Areas: Closed Recommendations\n\n FY(s)       Recommendation                              FBI\xe2\x80\x99s Progress\n1996/97   Year 2000: Provide         The FBI\xe2\x80\x99s February 1999 response to the\nMLC#19    monthly status briefings   recommendation stated that the FBI\xe2\x80\x99s\n          to the Director of the     Senior Official for Year 2000 regularly briefed the\n          FBI on the status of the   Deputy Director and provided monthly progress\n          Year 2000 project.         reports on all Year 2000 efforts. This\n                                     recommendation was closed by the OIG upon\n                                     issuance of the final report based on a review of the\n                                     corrective actions taken.\n1996/97 Strategic Planning:          The FBI\xe2\x80\x99s February 1999 response to the\nMLC#20 Develop and maintain          recommendation stated that the FBI completed a\n         an IT strategic plan that strategic plan during 1997 and 1998 and the\n         projects technology         FBI Strategic Plans will be updated annually. This\n         spending for a 3 to         recommendation was closed by the OIG upon\n         5-year period.              issuance of the final report based on a review of the\n                                     corrective actions taken.\n1996/97 Network Encryption:          The FBI\xe2\x80\x99s February 1999 response to the\nMLC#32 Evaluate encryption           recommendation stated that the FBI is continuing to\n         alternatives to reduce      evaluate new security technologies as they evolve.\n         the risk of compromising This recommendation was closed by the OIG upon\n         sensitive information.      issuance of the final report based on a review of the\n                                     corrective actions taken.\n    Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 111 -\n\x0c2. Recommendations on the FBI\xe2\x80\x99s FY 2001 GISRA Report\n\n             FY 2001 GISRA Report\xe2\x80\x99s Management Controls:\n                       Closed Recommendation\n\n      Recommendation                                    FBI\xe2\x80\x99s Progress\n   #1. Define and             The FBI\xe2\x80\x99s April 2002 response to the recommendation\n   document all criticality   stated that all criticality factors had been articulated and\n   levels used to classify    documented. However, the OIG stated in the May 2002\n   applications.              GISRA report that the FBI should complete and update the\n                              criticality levels within the risk analysis of the System\n                              Security Authorization. In June 2002, the FBI provided the\n                              OIG\xe2\x80\x99s contractor with documentation evidencing the\n                              criticality levels of risk analyses within the System Security\n                              Authorization documents for the investigative and\n                              administrative systems. This documentation resulted in\n                              the OIG closing the recommendation in December 2002.\n   #4. Document a             The FBI\xe2\x80\x99s April 2002 response to the recommendation\n   corrective action plan to  stated that a detailed action plan had been created and\n   address the                disseminated to all affected components. The OIG closed\n   vulnerabilities identified this recommendation in April 2003 after receiving\n   in the risk analysis for   documentation from the FBI that demonstrated the\n   the investigative and      corrective action plan to address the vulnerabilities\n   administrative             identified in the risk analyses for the investigative and\n   mainframe systems that     administrative mainframe systems.\n   describe how each of the\n   recommended actions\n   will be accomplished.\n      Source: OIG analyses as of April 2003\n\n\n\n\n                                        - 112 -\n\x0c         FY 2001 GISRA Report\xe2\x80\x99s Management Controls:\n                   Open Recommendations\n\n   Recommendation                                  FBI\xe2\x80\x99s Progress\n#2. Distribute, obtain,    Although the FBI did not initially agree with this\nand maintain signed        recommendation in their April 2002 response to the OIG\xe2\x80\x99s\nstatements of end-users\xe2\x80\x99   recommendation, the subsequent response dated June 2002\nacknowledgement of the     concurred with the recommendation and indicated that\nAutomated Information      alternative corrective actions were in place. However, the\nSystem Rules of            documentation sent to the OIG in June 2002 did not provide\nBehavior for the           adequate evidence to show employee acknowledgement of\ninvestigative and          the Rules of Behavior. The provided documentation lacks\nadministrative             signatures, proof of being an FBI document, and a means to\nmainframe systems.         determine that those employees who missed the mandatory\n                           training sessions received the Rules of Behavior. The OIG is\n                           requesting that all FBI users receive the proper training in\n                           regard to the rules of behavior and that it receive\n                           documentation demonstrating that FBI users receive\n                           training.\n#3. Ensure the MIOG        The FBI reported that a top to bottom review of existing FBI\nand other FBI security     policy is underway and it is anticipated that the current\npolicies reflect the       MIOG policies and procedures will be substantially altered to\nevolving systems           conform to current standards. To close the\nenvironment and are        recommendation, the FBI should provide the OIG with a copy\nenforced.                  of the updated procedures and evidence that the procedures\n                           are being enforced.\n\n\n#5. Obtain a full          The FBI\xe2\x80\x99s responses to this recommendation stated that the\naccreditation for the      OIG \xe2\x80\x9crequirement\xe2\x80\x9d for full accreditation of the administrative\ninvestigative and          and investigative mainframes without conditions is not only\nadministrative             unachievable in the current FBI environment, but outside of\nmainframe systems from     the OIG authority. The FBI further stated that the\nthe FBI\xe2\x80\x99s approving        Designated Approving Authority (DAA) is the only official,\nauthority; a conditional   besides the Principal Accrediting Authority, with the authority\naccreditation should be    to \xe2\x80\x9cformally assume responsibility for operating a system at\nunacceptable.              an acceptable level of risk.\xe2\x80\x9d According to the FBI, the DAA\n                           has made the decision to permit the investigative and\n                           administrative mainframe systems to operate at their current\n                           level of risk for technical, management, and operational\n                           reasons. To resolve and close this recommendation, the FBI\n                           should provide the OIG with documentation evidencing that\n                           the DAA has accepted the inherent risk by signing the\n                           accreditation memorandum granting full accreditation to the\n                           investigative and administrative mainframe systems.\n\n\n\n\n                                     - 113 -\n\x0c#6. Conduct annual       The FBI\xe2\x80\x99s responses to this recommendation stated that it is\nrefresher computer       working on an initiative that includes developing a variety of\ntraining for all         training awareness curricula for delivery to every employee.\nemployees.               It also stated that the design and development of this effort\n                         is expected to continue through the calendar year and be\n                         ready for implementation at or near the start of 2003.\n                         Because the documentation the FBI submitted to the OIG in\n                         June 2002 was not complete with signatures, titles, dates\n                         and times, the recommendation remained open as of April\n                         2003.\n  Source: OIG analyses as April 2003\n\n\n\n\n                                    - 114 -\n\x0c             FY 2001 GISRA Report\xe2\x80\x99s Operational Controls:\n                       Closed Recommendation\n\n       Recommendation                                  FBI\xe2\x80\x99s Progress\n#7. Restrict access to all wiring The FBI\xe2\x80\x99s April 2002 and June 2002 responses to the\nclosets.                          recommendation stated that all wiring closets have\n                                  appropriate locks in place and employees with access\n                                  to these restricted areas have been reminded of\n                                  required security. The OIG closed this\n                                  recommendation in April 2003 after receiving\n                                  documentation from the FBI that evidenced its\n                                  reminder of required security to employees with access\n                                  to restricted areas.\n#10. Establish optimal operating The FBI\xe2\x80\x99s April 2002 response to the recommendation\nsystem capacities and implement stated that in September 2001, a mainframe system\nprocedures to alleviate the near  update was performed to rectify the issue of system\ncapacity usage.                   capacity at both Data Centers. Upon verification of the\n                                  corrective actions by the OIG contractor, the\n                                  recommendation was closed upon issuance of the final\n                                  report.\n     Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 115 -\n\x0c                 FY 2001 GISRA Report\xe2\x80\x99s Operational Controls:\n                         Open Recommendation\n\n     Recommendation                           FBI\xe2\x80\x99s Progress\n#8. Document               The FBI\xe2\x80\x99s April 2002 and June 2002 responses to the\nprocedures for identifying recommendation stated that the Data Center\nand restoring mission-     manuals have been updated as of\ncritical systems.          June 14, 2001, to reflect proper procedures for\n                           restoring the FBI mission-critical systems on the\n                           investigative and administrative mainframes. In the\n                           FBI\xe2\x80\x99s response dated June 2002, the FBI included a\n                           copy of the updated procedures. However, the\n                           documentation does not provide instructions as to\n                           the order the in which systems should be restored.\n                           Because the documentation the FBI submitted to the\n                           OIG in June 2002 was not complete, the\n                           recommendation remained open as of April 2003.\n#9. Complete the           The FBI\xe2\x80\x99s April 2002 response to the\nproduction test exercise   recommendation stated that backup and recovery\ninvolving the transfer of  procedures were tested for all investigative\nproduction operations and applications in January 2002 and were scheduled to\napplications to the backup be tested for administrative applications in\nsite and train Data Center October 2002. To close this recommendation, the\nstaff for this contingency FBI should provide documentation to the OIG\ncontrol.                   demonstrating the successful completion of the\n                           administrative applications transfer test conducted in\n                           the spring of 2003.\n      Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 116 -\n\x0c            FY 2001 GISRA Report\xe2\x80\x99s Technical Controls:\n                    Closed Recommendations\n\n Recommendation                               FBI\xe2\x80\x99s Progress\n#12. Fully           The FBI\xe2\x80\x99s April 2002 response to the recommendations stated\nimplement and use    that the Security Access Request function was implemented in\nthe System Access    April 2001 and that the 12 accounts mentioned in the finding\nRequest function to  were not processed through the System Access Request.\ndocument user logon Subsequent to this response, the FBI provided the OIG with\nand verify that user documentation evidencing that the System Access Request\naccess is            function was fully implemented and being used to document\ncommensurate with    user logon and verify that user access is commensurate with\nassigned             assigned responsibilities. This documentation resulted in the\nresponsibilities.    OIG closing the recommendation in December 2002.\n#16. Ensure that     The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nthe communication    that its Inspection Division verified that none of the identified\ncarrier signals are  modems were connected to the FBI network in August 2001.\nnot connected to     Upon verification of the corrective, the recommendation was\nunencrypted network closed upon issuance of the final report in May 2002.\ndevices.\n  Source: OIG analyses as of April 2003\n\n\n\n\n                                     - 117 -\n\x0c            FY 2001 GISRA Report\xe2\x80\x99s Technical Controls:\n                     Open Recommendations\n\n Recommendation                                  FBI\xe2\x80\x99s Progress\n#11. Implement and      The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nenforce DOJ             that limitations with Novell and Windows NT software\npassword policies by    prevented full compliance with DOJ directives. The OIG\nre-setting and          disagreed with the FBI\xe2\x80\x99s position and indicated that DOJ\nmonitoring operating    policies could be complied with through password masking.\nsystem settings         FBI officials subsequently stated that they have implemented\naccordingly.            the DOJ policy with respect to passwords, with the exception\n                        of one, password masking, which is not available to ensure a\n                        mix of alphabetic, numeric, and special characters. The OIG\n                        has obtained information from Novell and found that since\n                        1999, Novell has provided an enhancement to the Novell Client\n                        software, which allows enforcement of a password policy using\n                        locally stored data to ensure a mix of alphabetic, numeric, and\n                        special characters. To close this recommendation, the FBI\n                        should implement a password policy to ensure a mix of\n                        alphabetic, numeric, and special characters and provide the\n                        OIG with a screen shot demonstrating that password setting\n                        have been implemented according to DOJ policy.\n#13. Enforce DOJ        The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nsecurity policies and   that controls are in place to limit a user\xe2\x80\x99s access to only the\nensure sufficient       information he/she needs to perform his/her job and\ncontrols for FBI        requested more information to further respond. The OIG\nsystems to operate      stated in December 2002 that the FBI continued to disagree\nso that authorized      with this recommendation. However, the FBI has\nusers have access to    subsequently agreed that there were deficiencies with network\nonly the information    accounts, and consequently initiated and completed a major\nthey are entitled to.   effort to correct password deficiencies and ensure that\n                        password control options are set properly and enforced. In\n                        April 2003, the OIG stated that to close the recommendation,\n                        the FBI should provide documentation that identifies users\n                        with access to administrative and investigative systems as well\n                        as their roles and responsibilities. After reviewing this\n                        documentation, the OIG can determine if users have proper\n                        access to the systems and satisfy the terms to this\n                        recommendation.\n\n\n\n\n                                     - 118 -\n\x0c#14. Require that       The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nsystem                  that no automated process existed on its local networks to\nadministrators          assist system administrators with the function of periodically\nperiodically review     reviewing and deleting system accounts that have been\nand delete all system   unused for more than 90 days, but the process would be\naccounts that have      automated and centrally administered by the Enterprise\nbeen unused for         Operations Center when Trilogy upgrades are completed in\nmore than 90 days.      October 2002. In order to close this recommendation, the OIG\n                        requested the FBI to provide them with documentation\n                        evidencing that it is requiring system administrators to\n                        periodically review and delete all system accounts that have\n                        not been used for more than 90 days. In April 2003, the OIG\n                        informed the FBI that the updated status of this\n                        recommendation was pending and would be provided based\n                        upon the results of the FY 2003 financial statement audit of\n                        the FBI.\n#15. Enable account     The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nlockout on all          that account lockout settings have been set to comply with the\nsystems so that it      DOJ\xe2\x80\x99s standards. In order to close this recommendation, the\noccurs after three      OIG requested the FBI to provide them with documentation\nunsuccessful logon      (screen shots) evidencing that account lockout has been\nattempts.               enabled on all systems so that it occurs after three\n                        unsuccessful logon attempts. Because the FBI\xe2\x80\x99s responses\n                        have not provided the OIG with appropriate documentation,\n                        the recommendation remained open as of April 2003.\n#17. Enforce the        The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nuse of the FBI\xe2\x80\x99s        that the Service Center application is now the only approved\nService Center as a     method for recording system changes as a result of its\ncentralized approval    February 2002 system upgrades. Subsequently, the FBI\npoint to track all      provided the OIG with documentation supporting that policies\nchange requests         and procedures existed for the centralized approved change\nfrom initiation         management process. However, the OIG stated in December\nthrough final           2002 that these polices were not being enforced. Although the\ndisposition.            OIG closed the recommendation in December 2002, in order to\n                        track its status with the GISRA FY 2002 review of the FBI\xe2\x80\x99s\n                        ACS system, we considered the recommendation to be open\n                        since the FBI could not demonstrate that policies were being\n                        enforced.\n#18. Implement the      The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nformat and content      that it created and implemented format and content standards\nstandards for           for application development and modification by FY 2002.\ninformation             However, in the FBI\xe2\x80\x99s memorandum dated March 11, 2003,\ntechnology              the FBI stated that it anticipates completion for the\ndevelopment and         implementation of the format and content standards for\nmaintenance support     information technology development and maintenance support\ntest plans.             test plans to be December 2003. In order to close this\n                        recommendation, the OIG requested the FBI to provide them\n                        with documentation evidencing that the format and content\n                        standards for IT development and maintenance support test\n                        plans are fully implemented.\n\n\n\n                                     - 119 -\n\x0c#19. Update the        The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nArchitecture Change    that the FBI did not concur with the recommendation as it was\nManagement Policy      written. As a result, the recommendation was considered\nto reflect the FBI\xe2\x80\x99s   unresolved upon final report issuance in May 2002. The FBI\xe2\x80\x99s\ncurrent information    next response dated June 2002 stated that a FBI-wide\napplication and        Configuration Management (CM) policy was created and\nsystem software        approved by the Chief Information Officer on October 1, 2001.\nenvironment.           The FBI has since acquired a contractor to assist them in\n                       complying with the FBI-wide Configuration Management (CM)\n                       policy. The new CM procedures have been developed and\n                       were to be validated in March 2003. Once validated, the FBI\n                       will develop a plan for implementing the procedures through\n                       the IRD. To close this recommendation, the FBI should\n                       provide the OIG with documentation demonstrating that the\n                       CM procedures as well as a copy of the developed plan for\n                       implementing the CM procedures.\n#20. Document          The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nprocedures to          that as of March 2002, a review board now meets every two\nestablish the          weeks to ensure supervisory review and determine procedures\nsupervisory review     for any deviations that may occur. In order to close this\nprocess of software    recommendation, the OIG requested the FBI to provide a copy\nchange when            of documented procedures for that process.\ndeviations from\nnormal procedures\noccur.\n#21. Enable            The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nauditing to capture    that the auditing functions were enabled only on servers that\nthe necessary          met required processing and storage capacity to support those\nsystem information     functions. The response further stated that as obsolete\nto comply with DOJ     servers are being replaced, auditing functions are enabled on\npolicy.                replacement servers and estimates a complete phase out of\n                       obsolete servers by July 2003. In order to close this\n                       recommendation, the OIG requested the FBI to provide\n                       documentation evidencing that auditing (or some other\n                       compensating control) is enabled on all servers to capture the\n                       necessary system information in order to comply with DOJ\n                       policy.\n\n\n\n\n                                    - 120 -\n\x0c#22. Require that         The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\naudit trail activity be   that it is impractical to conduct regular reviews of audit trail\nreviewed regularly.       activity for either all personnel or all information systems. As\n                          a result, the recommendation was considered unresolved upon\n                          final report issuance in May 2002. In December 2002, the OIG\n                          stated that FBI continued to indicate that it is impractical to\n                          conduct regular reviews of audit trail activity for either all\n                          personnel or all information systems. However, the FBI has\n                          since agreed that security audit is an essential part of system\n                          security. The Security Division is systematically addressing\n                          audit requirements for each FBI information system in the\n                          ongoing Certification and Accreditation effort. The Information\n                          Assurance Section has also begun the build-out of the\n                          Enterprise Security Operations Center (ESOC) that will have\n                          multiple security capabilities. To close this recommendation,\n                          the FBI should provide the OIG with documentation\n                          demonstrating that the initial and full operating capability of\n                          the ESOC upon completion.\n\n#23. Apply           The FBI\xe2\x80\x99s April 2002 response to the recommendation stated\nmanufacturer         that in March 2002, manufacturer\xe2\x80\x99s patches were implemented\npatches in a timely  as a required part of the change management process to\nmanner to prevent    ensure that changes do not result in negative impacts to\nsystem compromise    applications and/or users. In order to close this\nto all network       recommendation, the OIG requested that the FBI provide\noperating systems.   documentation evidencing the corrective action taken.\n                     Because the FBI\xe2\x80\x99s responses have not provided the OIG with\n                     appropriate documentation, the recommendation remained\n                     open as of April 2003.\n  Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 121 -\n\x0c3. Recommendations on the FBI\xe2\x80\x99s Special Investigation Reports\n\n                  Campaign Finance Investigation Report:\n                        Open Recommendations\n\n       Recommendation                                 FBI\xe2\x80\x99s Progress\n   IV.A (#9) The Manual of      The FBI\xe2\x80\x99s July 1999 response to this recommendation\n   Administrative               stated that the FBI would establish a working group to\n   Operations and               revise the procedures governing the uploading of\n   Procedures should be         documents and indexing of names in the ACS system.\n   revised to require more      However, the FBI\xe2\x80\x99s response dated August 2001, stated\n   comprehensive                that the FBI did not establish a formal working group as\n   mandatory indexing of        originally intended but instead relied upon the\n   names appearing in an        Information Resources Division to work with other FBI\n   FBI document, and entry      divisions to improve the ACS system\xe2\x80\x99s procedures. The\n   practices should be          FBI\xe2\x80\x99s May 2003 response to this recommendation stated\n   changed accordingly.         that the not all documents can be uploaded (into the\n   Additionally, FBI policies   Electronic Case File) due to certain sensitivities and\n   should be changed to         restrictions. However, the FBI issued ECs in July 2000\n   require that all             and June 2002 that required ECs and e-mails to be\n   documents be uploaded        uploaded into the ACS system, unless otherwise\n   into the Electronic Case     prohibited. Regarding the mandatory indexing of names,\n   File database.               the FBI stated that the VCF will facilitate indexing on\n                                various web-based documents by providing data fields in\n                                searchable database tables. The index is created once\n                                the document is approved and serialized into the VCF.\n                                The index data can be searched using search screens or\n                                viewing the serialized document. Because the first\n                                release of the VCF is not scheduled for completion until\n                                December 2003, this recommendation remains open.\n\n\n\n\n                                         - 122 -\n\x0cIV.B (#10) Supplementary            The FBI\xe2\x80\x99s July 1999 response to this recommendation\ntraining for agents who are         stated that the FBI was developing a program to\nprincipally responsible for the     provide agents with additional training on the ACS\ninformation that is entered into    system once the new ACS system procedures are\nthe ACS system should be            adopted. The FBI\xe2\x80\x99s August 2001 response stated that\nperformed.                          the IRD provided basic ACS system training in 1999 and\n                                    2000 to over 200 special agents and close to 1,000 new\n                                    special agents, while close to 200 special agents\n                                    received basic ACS system training in 2001. The FBI\xe2\x80\x99s\n                                    May 2003 response stated that 43 veteran agents and\n                                    1,374 new agents were trained on the ACS system\n                                    between August 2001 and May 2003. Additionally, the\n                                    FBI\xe2\x80\x99s response stated web-based VCF training would be\n                                    conducted between October 2003 and November 2003.\n                                    To prepare for the VCF training, the FBI is assessing its\n                                    employees\xe2\x80\x99 basic computer literacy skills. This\n                                    assessment identifies employees in need of additional\n                                    computer skills so that appropriate training can be\n                                    taken prior to the VCF training. Because it is not clear\n                                    whether the ACS training provided to veteran agents\n                                    has been adequate and we were unable to assess the\n                                    FBI\xe2\x80\x99s web-based training for the VCF (since it will not\n                                    occur until October and November 2003), this\n                                    recommendation remains open.\nIV.C (#11) Agents should be         The FBI\xe2\x80\x99s July 1999 response to this recommendation\nmade responsible for                stated that the working group addressing the issues\ndetermining what information        concerning ACS would also review the problems with the\nis entered into the IIIA system     IIIA system identified by the recommendation. However,\nor for reviewing entries made       the FBI\xe2\x80\x99s response dated August 2001 stated that while\nby analysts to ensure their         the FBI did not establish a formal working group as\naccuracy and completeness.          originally intended, it did advise users of the IIIA system\nAdditionally, the FBI should        of new system enhancements, policies, and procedures\nconsider increasing the number      through a newsletter. The response further stated that\nof IIIA system analysts,            in 1999 and 2000: (1) additional training was provided\nparticularly in those field         to users of the IIIA system, and (2) several initiatives\noffices that generate significant   were undertaken to improve the accuracy of information\namounts of foreign counter-         in the IIIA system. Additionally, the response stated\nintelligence information.           that Trilogy\xe2\x80\x99s new enterprise solution (VCF) would\nFinally, when IIIA searches are     ultimately absorb the IIIA system (scheduled for\nperformed, original IIIA system     deployment in June 2004. The FBI\xe2\x80\x99s May 2003 response\nreports should be provided to       to this recommendation stated that significant changes\nthe parties who requested the       are planned for the IIIA system since the VCF\nsearches, rather than summary       development is not based on a system-by-system\nelectronic communications.          replacement, but rather a re-engineering of business\n                                    practices and policies. The FBI is continuing to schedule\n                                    and prioritize the functional components that must be\n                                    integrated into the VCF for each delivery through June\n                                    2004. Because replacement of the IIIA system is\n                                    planned as part of releases two and three of the VCF\n                                    scheduled for June 2004, this recommendation remains\n                                    open.\n\n\n                                           - 123 -\n\x0cIV.D (#12) Any task force    The FBI\xe2\x80\x99s July 1999 response to this recommendation\nthat is using the FBI\xe2\x80\x99s      stated that appropriate training would be conducted\ndatabases should obtain at   whenever a relevant task force is created. The FBI\xe2\x80\x99s\nleast a fundamental          May 2003 response to this recommendation stated that the\nappreciation for their       VCF training plan includes all Bureau task force members\noperation.                   who will have access to the VCF application. Because the\n                             VCF training has not yet been completed, this\n                             recommendation remains open.\n\n\n\n\n                                       - 124 -\n\x0cIV.E (#13) Ensure that the     The FBI\xe2\x80\x99s July 1999 response to this recommendation\nFBI\xe2\x80\x99s database operators       stated that the working group addressing the issues\nare conversant with the        concerning the ACS system would also review ways of\nformat of Chinese and other    improving the process of entering and retrieving foreign\nforeign names.                 names in FBI databases. However, the FBI\xe2\x80\x99s response\nAdditionally, database         dated August 2001, stated that while the FBI did not\noperators should inquire       establish a formal working group as originally intended, it\nabout whether the              did make enhancements to the IIIA system in July 2000 so\nrequesting party has in fact   that variations of a name are identified during a search.\ndetermined the order of        The FBI\xe2\x80\x99s May 2003 response to this recommendation\nsuch names, and if in          stated that on May 3, 2002, the LTAU announced in an EC a\ndoubt, should always           project to adopt and implement standards for the uniform\nperform an \xe2\x80\x9caround the         \xe2\x80\x9cRomanization\xe2\x80\x9d of foreign personal and place names.\nclock\xe2\x80\x9d search.                 Additionally, in an EC dated May 8, 2002, the LTAU began\n                               work on implementing standardization systems for\n                               \xe2\x80\x9cRomanizing\xe2\x80\x9d Arabic by offering training to all applicable\n                               FBI employees. According to the FBI, by the end of the\n                               second quarter of FY 2003, 371 FBI employees had\n                               received training in Arabic \xe2\x80\x9cRomanization,\xe2\x80\x9d while classes\n                               continue to be held. Regarding Chinese \xe2\x80\x9cRomanization,\xe2\x80\x9d\n                               the LTAU announced in an EC dated September 12, 2002,\n                               that training on Chinese \xe2\x80\x9cRomanization\xe2\x80\x9d was being offered\n                               to all applicable FBI employees. As of June 9, 2003, a total\n                               of 80 FBI employees had been trained in Chinese\n                               \xe2\x80\x9cRomanization\xe2\x80\x9d while classed continue to be held. The\n                               FBI\xe2\x80\x99s May 2003 response to this recommendation also\n                               stated that the FBI selected a commercial-off-the-shelf\n                               application for searching names. The software will search\n                               names entered in any order and will create different\n                               permutations of ordering. The software will not only search\n                               the different orders of names, but also will have algorithms\n                               to detect common or likely misspellings, sound-a-likes, and\n                               cultural differences. Additionally, the LTAU worked with the\n                               VCF project management team to create a keyboard for the\n                               \xe2\x80\x9cRomanization\xe2\x80\x9d of names in accordance with the\n                               U.S. Board on Geographic Names.\n\n                               In addition to training, the FBI expects the VCF to help\n                               database operators apply foreign names to searches within\n                               databases. For example, the VCF will allow the addition of\n                               STC for Asian names, Unicoded for other foreign names,\n                               and it will deploy a name search engine that incorporates\n                               variations on names. Because the first release of the VCF is\n                               not scheduled for completion until December 2003, this\n                               recommendation remains open.\n\n      Source: OIG analyses as of May 2003\n\n\n\n\n                                         - 125 -\n\x0c                McVeigh Report: Closed Recommendations\n\n#8. The FBI should             The FBI\xe2\x80\x99s September 2002 response to this\nevaluate its computer          recommendation stated that training was being\ntraining in order to develop   assessed by a curriculum review committee. The\na clear understanding of       FBI\xe2\x80\x99s April 2003 response to this recommendation\nwhat agents need to            stated that the Training Division completed the design\nperform their jobs             of instruments currently being used by new agents\neffectively.                   and managers to assess what computer skills agents\n                               need to perform their jobs and to determine the need\n                               for additional improvements to the new agents\xe2\x80\x99\n                               computer training curriculum. These instruments,\n                               which will evaluate whether the Training Division\xe2\x80\x99s\n                               computer training program is meeting the needs of\n                               field offices and investigators, are in the process of\n                               being tested. Based on a review of supporting\n                               documentation provided by the FBI, we believe that\n                               the FBI has adequately addressed this\n                               recommendation.\n#9. The FBI should             The FBI\xe2\x80\x99s September 2002 response to this\nconsider whether computer      recommendation stated that the Training Division\nusage should be a part of      intends to implement policy requiring all new agents\nthe core skills needed to      to possess core computer competency skills prior to\ngraduate from the new          graduation. The FBI\xe2\x80\x99s April 2003 response to this\nagents training academy.       recommendation stated that the Training Division\n                               determined that computer training should be a core\n                               requirement for graduation from the FBI Academy.\n                               Accordingly, the Training Division has implemented a\n                               policy requiring all new agents to pass an exam on\n                               core computer competency skills prior to graduation.\n                               Based on a review of supporting documentation\n                               provided by the FBI, we believe that the FBI has\n                               adequately addressed this recommendation.\n#10. The FBI should            The FBI\xe2\x80\x99s September 2002 response to this\nconsider mandatory             recommendation stated that the Training Division\nrefresher training for         works to encourage the use of investigative computer\nveteran agents.                training for veteran agents. The FBI\xe2\x80\x99s April 2003\n                               response to this recommendation stated that the FBI\n                               has recently implemented a program of continual\n                               mandatory training for veteran agents, and all\n                               employees (including the FBI\xe2\x80\x99s cadre of intelligence\n                               analysts). This mandatory training will include\n                               investigative computer training. Based on a review of\n                               supporting documentation provided by the FBI, we\n                               believe that the FBI has adequately addressed this\n                               recommendation.\n\n\n\n\n                                         - 126 -\n\x0c#13. The FBI should         The FBI\xe2\x80\x99s September 2002 response to this\nensure that deadlines for   recommendation stated that the deadlines set within\nthe completion of leads is  the ACS system for completing \xe2\x80\x9cImmediate\xe2\x80\x9d and\nclear and not undermined    \xe2\x80\x9cPriority\xe2\x80\x9d leads would be changed to one day by\nby the automated system,    December 31, 2002. The current procedures for\nsuch as the ACS system\xe2\x80\x99s    specifying deadlines for routine matters will remain\nsetting of a 60-day deadlineunchanged. The FBI\xe2\x80\x99s April 2003 response to this\nfor \xe2\x80\x9cimmediate\xe2\x80\x9d leads.      recommendation stated these changes to the ACS\n                            system were completed by August 26, 2002. Based\n                            on a review of supporting documentation provided by\n                            the FBI, we believe that the FBI has adequately\n                            addressed this recommendation.\n      Source: OIG analyses as of April 2003\n\n\n\n\n                                       - 127 -\n\x0c                McVeigh Report: Open Recommendations\n\n     Recommendation                                FBI\xe2\x80\x99s Progress\n#1. The FBI should foster     The FBI\xe2\x80\x99s September 2002 response to this\nan attitude among all         recommendation stated that the FBI was engaging in\nemployees that information    programs to improve all of its records management\nmanagement is an essential    capabilities through its restructuring and creation of\npart of the FBI\xe2\x80\x99s mission     the RMD. The FBI undertook training of all\nand that automation is a      employees in the areas of information management\nkey tool in managing the      requirements, procedures, and responsibilities during\nstorage, analysis, and        a 1-day stand down in 2001. Further, the FBI\xe2\x80\x99s\nretrieval of information.     response stated that future training in records\n                              management was being planned. The FBI\xe2\x80\x99s April\n                              2003 response to this recommendation stated that\n                              the RMD was actively promoting effective information\n                              management within the Bureau and was encouraging\n                              acceptance of new automation plans by Bureau\n                              employees. Since 2002, RMD staff has worked\n                              closely with the VCF and SCOPE data warehouse\n                              program teams to ensure close coordination of\n                              records and information management activities.\n                              Additionally, the response stated that the RMD has\n                              begun to identify, develop, and implement the quality\n                              control mechanisms to ensure that record systems\xe2\x80\x99\n                              problems are quickly detected. Also, the RMD is\n                              investigating the possibility of establishing an annual\n                              awareness campaign. Further, the RMD will establish\n                              a Records Management publicity team. Because the\n                              RMD\xe2\x80\x99s activities are ongoing and the first release of\n                              the VCF \xe2\x80\x93 which will significantly change the FBI\xe2\x80\x99s\n                              information and workflow process \xe2\x80\x93 is not scheduled\n                              for completion until December 2003, this\n                              recommendation remains open.\n#2. As part of its            The FBI\xe2\x80\x99s September 2002 response to this\ndevelopment of Trilogy, the   recommendation stated that the FBI was pursuing the\nFBI should consider           simplification of its document management systems\nwhether its document          through the development of Trilogy and the VCF. The\nmanagement systems can        FBI\xe2\x80\x99s April 2003 response to this recommendation\nbe simplified, such as by     stated that the RMD has taken part in the process to\nhaving supervisors review     simplify the FBI\xe2\x80\x99s document information systems\nelectronic copies of          through the implementation of the new electronic\ndocuments, and whether its    record keeping system. The VCF system is designed\nrecord keeping formats can    to develop a workflow process that will allow for\nbe reduced in number.         electronic signatures. The response further stated\n                              that it is the responsibility of the VCF to work with the\n                              FBI Public Key Infrastructure Team to implement\n                              electronic signatures for the approval process.\n                              Because the first release of the VCF is not scheduled\n                              for completion until December 2003, this\n                              recommendation remains open.\n\n\n\n\n                                         - 128 -\n\x0c#3. The FBI should             The FBI\xe2\x80\x99s September 2002 response to this\nevaluate whether inserts       recommendation stated that inserts would be\nshould be eliminated.          eliminated with the deployment of the VCF. Because\n                               the first release of the VCF is not scheduled for\n                               delivery until December 2003, this recommendation\n                               remains open.\n#4. The FBI should             The FBI\xe2\x80\x99s September 2002 response to this\nevaluate its practices         recommendation stated that the FBI was examining\nregarding \xe2\x80\x9coriginals\xe2\x80\x9d of FBI   how \xe2\x80\x9coriginals\xe2\x80\x9d would be managed in the future,\ncreated documents (such as     within the VCF applications. The FBI\xe2\x80\x99s April 2003\nFD-302s). If originals         response to this recommendation stated the FBI has\ncontinue to be needed, the     determined that electronic versions of records in VCF\nFBI should develop a           are the \xe2\x80\x9crecord copies\xe2\x80\x9d as part of the Public Key\nsystem that more clearly       Infrastructure/VCF \xe2\x80\x93 Record Management Application\nidentifies an original.        (RMA) development. Approval of the requirements\n                               for a Public Key Infrastructure was obtained in\n                               February 2003. Because the first release of the VCF\n                               is not scheduled for delivery until December 2003,\n                               this recommendation remains open.\n#5. Any new automation         The FBI\xe2\x80\x99s September 2002 response to this\nsystem should be user          recommendation stated that the VCF will be in a web-\nfriendly, meaning that the     environment, familiar to computer users with\nsteps required to obtain       simplified workflow processes for document storage\ninformation should be few      and retrieval. In the VCF, basic workflow processes\nin number and intuitive.       will be accomplished through point and click\nInformation should be          capabilities. The submission of a document or\nprovided to the user           package to a case file for routing and approval will be\nquickly.                       accomplished through a single \xe2\x80\x9csubmit action.\xe2\x80\x9d Once\n                               properly stored, every case and document will be\n                               immediately available to all persons who have proper\n                               security access through a web-based point and click\n                               environment. Because the first release of the VCF is\n                               not scheduled for delivery until December 2003, this\n                               recommendation remains open.\n#6. Any new automation         The FBI\xe2\x80\x99s September 2002 response to this\nsystem should include an       recommendation stated that the development\neffective document tracking    (through Trilogy) of comprehensive automated\nsystem. The FBI should         document creation, receipt, and management\nconsider whether a system      systems will eliminate much of the need for\nthat integrates the creation   traditional document tracking systems. FBI\nof documents into the          employees will be able to access documents directly\ntracking system is feasible    from their desktop computers, whether those\nand appropriate.               documents were created by the FBI or received from\n                               external sources and scanned into the Trilogy\n                               systems. The FBI\xe2\x80\x99s April 2003 response to this\n                               recommendation stated that with the implementation\n                               of VCF, systems and processes will be established to\n                               effectively track documents and materials contained\n                               in the FBI records systems. Because the first release\n                               of the VCF is not scheduled for delivery until\n                               December 2003, this recommendation remains open.\n\n\n                                          - 129 -\n\x0c#7. The FBI should work        The FBI\xe2\x80\x99s September 2002 response to this\ntoward eliminating crisis      recommendation stated that the focus of the VCF\nmanagement software and        project has been to develop a user-friendly case\nother independent systems.     management and program management tool that\nThe FBI should consider the    attempts to integrate the workflow involved in the\nfeasibility of developing an   recording of events and data with the natural flow of\nautomation system that         the investigation. The response further states that\nexpands to meet situations     the information intake process for a crisis response\nrather than developing new     should be the same as intake for routine matters.\nsoftware that is compatible    The VCF project has defined the FBI\xe2\x80\x99s case and\nwith other programs.           program management needs and requirements to\n                               include crisis management as a component of the\n                               workflow and case management. Because the first\n                               release of the VCF is not scheduled for delivery until\n                               December 2003, this recommendation remains open.\n#11. The FBI should ensure     The FBI\xe2\x80\x99s September 2002 response to this\nthat leads cannot be           recommendation stated that the VCF is being\n\xe2\x80\x9ccovered\xe2\x80\x9d without an           designed so as to permit leads to be \xe2\x80\x9ccovered\xe2\x80\x9d as a\nexplanation of what has        separate function from the documentation of the lead\nbeen done to the task          being covered. The FBI\xe2\x80\x99s April 2003 response to this\nassigned.                      recommendation stated that in January 2002, the\n                               process to identify the VCF program requirements to\n                               ensure that leads cannot be \xe2\x80\x9cmarked covered without\n                               an explanation of the action taken\xe2\x80\x9d was begun. That\n                               phase of the process was completed on\n                               November 22, 2002, with the delivery of the program\n                               requirements to the VCF contractor. The contractor is\n                               to complete the design and implementation phase of\n                               the process by July 17, 2003. Upon completion of the\n                               design and implementation phase, testing of the VCF\n                               system, including the \xe2\x80\x9clead coverage requirement\xe2\x80\x9d\n                               will begin and is to be completed on\n                               October 27, 2003. Because the first release of the\n                               VCF is not scheduled for delivery until\n                               December 2003, this recommendation remains open.\n#12. Future automation         The FBI\xe2\x80\x99s September 2002 response to this\nsystems should incorporate     recommendation stated that VCF will assign unique\na system to allow              lead \xe2\x80\x9ccounters\xe2\x80\x9d to each lead in a single case. Split\nsupervisors to easily track    leads or leads created from an original lead will reflect\nthe status of leads. The       lead counters with a derivative or \xe2\x80\x9cparent-child\nFBI should evaluate            relationship\xe2\x80\x9d which will facilitate the tracing of all\nwhether a lead tickler         leads to their origin. The response further states that\nsystem is appropriate and      leads will be capable of being viewed from the\nfeasible.                      desktop computer by the lead originating office and\n                               by all receiving offices to determine to whom the\n                               leads are assigned or whether action on the lead has\n                               occurred. Because the first release of the VCF is not\n                               scheduled for delivery until December 2003, this\n                               recommendation remains open.\n\n\n\n\n                                          - 130 -\n\x0c#14. The FBI should           The FBI\xe2\x80\x99s September 2002 response to this\nevaluate the feasibility of   recommendation stated that the VCF system of\ndeveloping a system of        universal lead counters unique to each case will\nuniversal lead numbers to     facilitate lead creation, tracking, and action. The\neliminate the use of local    system for lead control will provide case agents and\nlead numbers as a tracking    managers with a user-friendly tool to ensure lead\nmechanism.                    accountability. Because the first release of the VCF is\n                              not scheduled for delivery until December 2003, this\n                              recommendation remains open.\n#15. The FBI should           The FBI\xe2\x80\x99s September 2002 response to this\nevaluate the use of lead      recommendation stated that the VCF system of\nnumbers on leads and          universal lead counters unique to each case will\nresponding reports and        facilitate lead creation, tracking, and action. The\ndetermine whether new         system for lead control will provide case agents and\npolicies, better enforcement  managers with a user-friendly tool to ensure lead\nof existing policies,         accountability. Because the first release of the VCF is\nimproved training, or better  not scheduled for delivery until December 2003, this\nautomation is the best        recommendation remains open.\nmethod of fixing the\nproblem.\n       Source: OIG analyses as of April 2003\n\n\n\n\n                                         - 131 -\n\x0c                                                            APPENDIX 3\n\n  OTHER REPORTS RELATING TO THE FBI\xe2\x80\x99S IT PROGRAM\n\n1. GAO Reports\n\n       The GAO is the investigative arm of Congress. The GAO examines the\nuse of public funds, evaluates federal programs and activities, and provides\nanalyses, options, recommendations, and other assistance to help Congress\nmake effective oversight, policy, and funding decisions. Since 1998, the\nGAO has issued several reports and related testimony that highlight\ndeficiencies with the FBI\xe2\x80\x99s IT, including one report that provides an IT\nrecommendation.\n\n      According to the \xe2\x80\x9cGAO\xe2\x80\x99s Agency Protocols,\xe2\x80\x9d issued in\nDecember 2002, the GAO\xe2\x80\x99s recommendations are intended to improve the\neconomy, efficiency, and effectiveness of an agency\xe2\x80\x99s operations and to\nimprove the accountability of the federal government for the benefit of the\nAmerican people. Consequently, the GAO monitors agencies\xe2\x80\x99 progress in\nimplementing these recommendations. To accomplish this monitoring, the\nGAO maintains a database of open recommendations. As new reports with\nrecommendations are issued, their recommendations are incorporated into\nthe database. This database serves both the GAO and the agencies by\nhelping them meet their record maintenance and monitoring responsibilities.\n\n      The GAO\xe2\x80\x99s goal is to remove all closed recommendations from the\ndatabase on an ongoing basis. However, toward the end of each fiscal year,\nspecial attention is directed to this effort. The GAO removes a\nrecommendation from its database after determining that (1) the agency has\nimplemented the recommendation or has taken action that in substance\nmeets the intent of the recommendation, or (2) circumstances have changed\nand the recommendation is no longer relevant. The open recommendation\ndatabase is available to the public on the GAO\xe2\x80\x99s website (www.gao.gov).\nSpecific recommendations can be identified because the database is\nsearchable by agency, Congressional committee, and key words.\nCongressional oversight and authorization committees, as well as the\nAppropriations Committees, can use the database to prepare for hearings\nand budget deliberations.\n\n       Additionally, when the GAO issues a report containing\nrecommendations to the head of an agency, 31 U.S.C. Section 720 requires\nthat the agency head submit a written statement of the actions taken by the\nagency on the GAO\xe2\x80\x99s recommendations to the Senate Committee on\nGovernmental Affairs and the House Committee on Government Reform no\nlater than 60 days after the date of the report. The agency\xe2\x80\x99s statement of\naction is also to be submitted to the House and Senate Committees on\n\n                                  - 132 -\n\x0cAppropriations with the first request for appropriations that is submitted\nmore than 60 days after the date of the report. If the Congressional\nrequestor has asked that the distribution of the report be restricted, as\nprovided by the \xe2\x80\x9cGAO\xe2\x80\x99s Congressional Protocols,\xe2\x80\x9d the 60-day period will\nbegin on the date the report is released.\n\n      Because agency personnel serve as the primary source of information\non the status of recommendations, the GAO requests that the agency also\nprovide it with a copy of the agency\xe2\x80\x99s statement of action to serve as\npreliminary information on the status of recommendations. The GAO will\nfollow up by discussing the status of recommendations with cognizant\nagency officials; obtaining copies of agency documents supporting the\nrecommendations\xe2\x80\x99 implementation; and performing sufficient work to verify\nthat the recommended actions are being taken and, to the extent possible,\nthat the desired results are being achieved.\n\n       While conducting an audit on the FBI\xe2\x80\x99s counterterrorism program,54\nthe OIG found that the FBI had not implemented a GAO recommendation in\nits report entitled, \xe2\x80\x9cNeed for Comprehensive Threat and Risk Assessments of\nChemical and Biological Attacks.\xe2\x80\x9d Among the reasons identified by the OIG\nwas that the FBI does not have a system of management controls to ensure\ntimely implementation of GAO, OIG, or other agency issued\nrecommendations. Because of the FBI\xe2\x80\x99s non-compliance with this GAO\nrecommendation, we examined whether the FBI has implemented\nrecommendations relating to IT that have been issued by the GAO in the last\nfive years.\n\n      To assess the FBI\xe2\x80\x99s progress in implementing recommendations\ndirected toward improving its information technology, we examined the\nfollowing GAO reports that discussed the FBI\xe2\x80\x99s use and management of\ninformation technology:\n\n       \xe2\x80\xa2    the 2000 report on the FBI\xe2\x80\x99s National Instant Criminal Background\n            Check System (NICS);\n\n       \xe2\x80\xa2    the 2000 report on the DOJ\xe2\x80\x99s Campaign Finance Task Force; and\n\n       \xe2\x80\xa2    the 2002 Enterprise Architecture Report.\n\n\n\n\n       54\n         The OIG report, entitled \xe2\x80\x9cA Review of the Federal Bureau of Investigation\xe2\x80\x99s\nCounterterrorism Program: Threat Assessment, Strategic Planning, and Resource\nManagement,\xe2\x80\x9d was issued in September 2002.\n\n                                         - 133 -\n\x0c      Based on our review of these reports, only the report on the NICS had\na recommendation that related to IT. We found that the FBI timely\nimplemented this recommendation. Because the remaining two reports\nincluded some discussion of the FBI\xe2\x80\x99s IT program, we summarized the\nreports\xe2\x80\x99 findings to supplement our analyses of the FBI\xe2\x80\x99s progress in\nimproving its IT.\n\nA. Report on the FBI\xe2\x80\x99s National Instant Criminal Background\n   Check System\n\n      In February 2000 GAO issued \xe2\x80\x9cGun Control: Implementation of the\nNational Instant Criminal Background Check System.\xe2\x80\x9d The National Instant\nCriminal Background Check System is a computer system maintained by the\nFBI that is designed to provide background screening for all types of\nfirearms bought from federal firearms licensees. In this report, the GAO:\n\n      \xe2\x80\xa2   provided statistics on background checks, denials, and appeals;\n\n      \xe2\x80\xa2   described enforcement actions taken against persons who allegedly\n          falsify their status on firearm-purchase applications;\n\n      \xe2\x80\xa2   discussed the NICS's computer system architecture, capacity\n          management system availability, transaction response time,\n          retention of records, monitoring activities, and the prospect of\n          making the NICS a fingerprint-based system rather than a\n          name-based system; and\n\n      \xe2\x80\xa2   discussed pawnshop issues.\n\n      The report stated that the FBI did not authorize NICS before it began\noperations on November 30, 1998. System authorization was not obtained,\naccording to FBI officials, due to insufficient time and resources to formally\ntest security controls between the date that the FBI received the system\nfrom the contractor and the Congressionally-mandated date for system\noperation. However, while a formal test of security controls was not\nconducted, the security officer responsible for NICS' authorization stated\nthat a subset of NICS' security requirements was assessed and a number of\nvulnerabilities were disclosed. The FBI requested an interim approval to\noperate NICS from the FBI's National Security Division, which is the FBI's\nauthorization authority. According to an FBI National Security Division\nrepresentative, the interim approval was granted for one year beginning\nNovember 30, 1998.\n\n\n\n\n                                    - 134 -\n\x0c       However, the GAO\xe2\x80\x99s report stated that, according to the security\nofficer responsible for NICS authorization, all authorization requirements \xe2\x80\x94\nsuch as certification testing \xe2\x80\x94 were not completed during the interim period\nbecause of competing priorities, such as the authorization of NCIC 2000 and\nthe Integrated Automated Fingerprint Identification System. Additionally,\nthe GAO\xe2\x80\x99s report stated that according to the DOJ, the completion of security\ntesting was overshadowed by more urgent issues directly impacting NICS'\nability to function; therefore, security testing was delayed. On\nDecember 2, 1999, the National Security Division extended the interim\napproval to operate NICS through April 2000. Further, the GAO\xe2\x80\x99s report\nstated that according to the security officer, security testing for NICS was\ncompleted on December 21, 1999. The FBI planned to obtain full\nauthorization by March 31, 2000.\n\n      The report further stated that because of the system vulnerabilities\nthat were identified before NICS went operational and the delays\nexperienced in authorizing the system, the FBI continued to lack an\nadequate basis for knowing whether NICS assets (hardware, software, and\ndata) were sufficiently secure and were not vulnerable to corruption and\nunauthorized access. Additionally, it had not yet been authorized as secure\nin accordance with the DOJ's own requirements, and attempts to do so had\nbeen delayed. The report also stated that further delays in authorizing NICS\nwould expose the system and the data it processes about individuals to\nunnecessary risk. Therefore, it was extremely important that the FBI fulfill\nits commitment to authorize NICS by March 31, 2000.\n\n      We determined that the FBI timely implemented the report\xe2\x80\x99s one IT-\nrelated recommendation. This recommendation pertained to the certification\nand accreditation of the NICS by March 31, 2000. According to the GAO\xe2\x80\x99s\nwebsite, the recommendation\xe2\x80\x99s status was closed.\n\n      To confirm that the status of this recommendation was closed, we\ninterviewed FBI officials and reviewed documentation supporting the\nauthorization and accreditation of the NICS as of March 31, 2000.\n\nB. Report on the DOJ\xe2\x80\x99s Campaign Finance Task Force\n\n      In May 2000, the GAO issued a report entitled, \xe2\x80\x9cCampaign Finance\nTask Force: Problems and Disagreements Initially Hampered Justice\xe2\x80\x99s\nInvestigation.\xe2\x80\x9d The objective of this review was to examine the\nmanagement and oversight, operations, and results of the Campaign Finance\nTask Force from its inception through December 31, 1999.\n\n\n\n\n                                   - 135 -\n\x0c      Among its findings, the report stated that the FBI lacked an adequate\ninformation system that could manage and interrelate the evidence that had\nbeen gathered in relation to the Campaign Task Force\xe2\x80\x99s investigations.\nSpecifically, the Campaign Finance Task Force was overwhelmed with\ndocuments and other evidence and lacked sufficient staff and electronic\nsystem resources to input and organize the information being gathered. The\nreport also stated that the lead investigator noted that after several months,\nthe large volume of documents obtained overwhelmed the Campaign\nFinance Task Force\xe2\x80\x99s electronic data management system and a new system\nhad to be purchased.\n\n      This report did not contain any FBI IT-related recommendations.\nHowever, the deficiencies described in this report are consistent with ones\nreported by the OIG. The more recently issued McVeigh and ITIM reports\nstated that similar vulnerabilities with the FBI\xe2\x80\x99s information management\nsystems have continued, demonstrating that additional corrective actions are\nnecessary.\n\nC. Report on the FBI\xe2\x80\x99s Enterprise Architecture\n\n      In February 2002, the GAO issued a report entitled,\n\xe2\x80\x9cEnterprise Architecture Use Across the Federal Government Can Be\nImproved.\xe2\x80\x9d The objectives of the report were to determine (1) the status of\nfederal agencies\xe2\x80\x99 efforts to develop, implement, and maintain enterprise\narchitectures; and (2) OMB\xe2\x80\x99s actions to oversee these efforts.\n\n      The report stated that the FBI needed to fully establish the\nmanagement foundation that is necessary to begin developing,\nimplementing, and maintaining an enterprise architecture. While the FBI\nimplemented most of the core elements associated with establishing the\nmanagement foundation, it had not yet established a steering committee or\ngroup that has responsibility for directing and overseeing the development of\nthe architecture.\n\n       In addition, the GAO indicated that although establishing the\nmanagement foundation is an essential first step, important further steps\nstill need to be taken for the FBI to fully implement the set of practices\nassociated with effective enterprise architecture management. These\ninclude having a written and approved policy for developing and maintaining\nthe enterprise architecture and requiring that IT investments comply with\nthe architecture.\n\n    This report did not contain any FBI IT-related recommendations.\nHowever, the recently issued ITIM report stated that the FBI still has not\n\n                                   - 136 -\n\x0cfully established an enterprise architecture, although progress is being\nmade. Specifically, a baseline architecture was being developed in a data\nrepository, which ultimately will be maintained in the FBI\xe2\x80\x99s intranet. This\ndata repository, when complete, is intended to describe how all of the FBI\xe2\x80\x99s\nIT systems align with the business processes of the Bureau. Additionally,\nthe enterprise architecture office was developing a technical reference model\nthat will outline the technical architecture of the Bureau\xe2\x80\x99s IT systems. Also,\nthe FBI was creating a commercial off-the-shelf roadmap of all\ncommercially-available hardware and software that will comply with the\nFBI\xe2\x80\x99s technical architecture. Despite the progress being made, the ITIM\nreport ultimately concluded that the FBI\xe2\x80\x99s enterprise architecture\ndevelopment was not far enough along to adequately support the FBI\xe2\x80\x99s IT\ninvestment management activities.\n\nD. Summary of GAO Reports\n\n       The three GAO reports we examined noted deficiencies with certain\naspects of the FBI\xe2\x80\x99s IT program. The Gun Control report stated that the FBI\ndid not properly authorize an IT system (NICS) through accreditation and\ncertification. However, we found that the system was subsequently certified\nand accredited as of March 31, 2000. Additionally, the report on the FBI\xe2\x80\x99s\nCampaign Finance Task Force stated that the FBI lacked an adequate\ninformation system that could manage and interrelate the evidence that had\nbeen gathered in relation to the Campaign Task Force\xe2\x80\x99s investigations.\nThese deficiencies were similar to those reported by the OIG Campaign\nFinance report. Further, the report on the FBI\xe2\x80\x99s enterprise architecture\nstated that the Bureau lacked a foundation for managing enterprise\narchitecture. The recently released ITIM report reiterated the importance of\nhaving an established enterprise architecture when developing an IT\ninvestment management process.\n\n2. Other Reports on the FBI\xe2\x80\x99s IT\n\n      In addition to the OIG and the GAO, other entities have issued reports\nin recent years that included analyses of the FBI\xe2\x80\x99s IT management. One\nreport of particular relevance to IT security was issued by the\nWebster Commission. This report entitled, \xe2\x80\x9cA Review of FBI Security\nPrograms\xe2\x80\x9d was issued in March 2002. This Commission, chaired by former\nFBI Director William H. Webster, was established to investigate the\nespionage of FBI Supervisory Special Agent Robert Hanssen.\n\n    The report identified a wide range of problems affecting the FBI\xe2\x80\x99s\ncomputer systems and information security policies, including the following.\n\n\n                                   - 137 -\n\x0c     \xe2\x80\xa2 Classified information had been moved into systems not\n       properly accredited for protection of classified information.\n\n     \xe2\x80\xa2   Until recently, the FBI had not begun to certify and accredit most of\n         its computer systems, including many classified systems.\n\n     \xe2\x80\xa2   Inadequate physical protections placed electronically-stored\n         information at risk of compromise.\n\n     \xe2\x80\xa2   The FBI\xe2\x80\x99s approach to system design had been deficient. It had\n         failed to ascertain the security requirements of the \xe2\x80\x9cowners\xe2\x80\x9d of\n         information on its systems and identify the threats and\n         vulnerabilities that must be countered.\n\n     \xe2\x80\xa2   Classified information stored on some of the FBI\xe2\x80\x99s most widely-\n         utilized systems was not adequately protected because computer\n         users lacked sufficient guidance about critical security features.\n\n     \xe2\x80\xa2   Some FBI inspectors had insufficient resources to perform required\n         audits. When audits were performed, audit logs were reviewed\n         sporadically, if at all.\n\n      According to the Webster Commission\xe2\x80\x99s report, these findings resulted\nfrom the FBI\xe2\x80\x99s lack of attention to IT security in developing and managing\ncomputer systems. The report highlights the importance of computer\nsecurity as it shows how breaches, such as those that GISRA audits continue\nto identify, present national security risks.\n\n\n\n\n                                   - 138 -\n\x0c                                                    APPENDIX 4\n\n       GLOSSARY OF ABBREVIATIONS AND ACRONYMS\n\nACID             Top Secret Accessor Identification\nACM              Architecture Change Management\nACS              Automated Case Support\nADP              Automated Data Processing\nADPT             Automated Data Processing and Telecommunications\nARCS             Automated Response and Compliance System\nBPMS             Bureau Personnel Management System\nC&A              Certification and Accreditation\nCM               Configuration Management\nCONOP            Concept of Operations Report\nCOOP             Continuity of Operations Report\nDAA              Designated Approving Authority\nDOJ              Department of Justice\nEC               Electronic Communication\nESOC             Enterprise Security Operations Center\nFBI              Federal Bureau of Investigation\nFBIHQ            FBI Headquarters\nFIPS             Federal Information Processing Standards\nFISCAM           Federal Information System Controls Audit Manual\nFMS              Financial Management System\nFPDS             Federal Procurement Data Statistics\nGAO              General Accounting Office\nGISRA            Government Information Security Reform Act\nIIIA             Integrated Intelligence Information Application\nIPC              Information Presentation Component\nIRD              Information Resources Division\nIT               Information Technology\nITIM             Information Technology Investment Management\nLAN              Local Area Network\nLTAU             Language Training and Assessment Unit\nMAOP             Manual of Administrative Operations and Procedures\nMIOG             Manual of Investigative Operations and\n                        Guidelines\nMLC              Management Letter Comment\nMW               Material Weakness\nNICS             National Instant Criminal Background Check\n                        System\nNIST             National Institute of Standards and Technology\nOIG              Office of the Inspector General\n\n\n\n\n                           - 139 -\n\x0cOMB          Office of Management and Budget\nPMA          Property Management Application\nQCMU         Quality Configuration and Methods Unit\nRC           Reportable Condition\nRMA          Record Management Application\nRMD          Records Management Division\nSCI          Sensitive Compartmented Information\nSMF          System Management Facility\nSPIU         Systems Programming and Integration Unit\nSTC          Standard Telegraphic Code\nTask Force   Campaign Finance Task Force\nTNC          Transportation Network Component\nUAC          User Application Component\nVCF          Virtual Case File\nWAN          Wide Area Network\n\n\n\n\n                       - 140 -\n\x0c                               APPENDIX 5\n\nFBI\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT\n\n\n\n\n              - 141 -\n\x0c- 142 -\n\x0c- 143 -\n\x0c- 144 -\n\x0c                                                               APPENDIX 6\n\n\n      OIG, AUDIT DIVISION ANALYSES AND SUMMARY\n        OF ACTIONS NECESSARY TO CLOSE REPORT\n\n     In its response to the draft report, the FBI agreed with all of our audit\nrecommendations and provided over 25 pages of additional support to\naddress the recommendations. Because of the length of the additional\nsupport provided, we include as Appendix 5 of this final report only the FBI\xe2\x80\x99s\nsummary response.\n\nRecommendation number:\n\n1.    Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to develop, document, and implement Bureau-wide\n      procedures to follow-up and close audit and investigative\n      recommendations. The documentation provided by the FBI included\n      two electronic communications that provided guidance for the follow-\n      up of OIG and GAO audits. However, it is not clear as to whether this\n      guidance has been institutionalized as policy through inclusion within\n      the FBI\xe2\x80\x99s formal policy manuals. This recommendation can be closed\n      when we receive documentation demonstrating that the guidance\n      documents provided, \xe2\x80\x9cDOJ OIG Financial and Non-Financial Audits\xe2\x80\x9d\n      and \xe2\x80\x9cGeneral Accounting Office,\xe2\x80\x9d or other specific audit follow-up\n      procedures are institutionalized as policy within the FBI\xe2\x80\x99s formal policy\n      manuals.\n\n2.    Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to ensure that the ARCS database is complete. This\n      recommendation can be closed when we receive documentation\n      demonstrating that the Campaign Finance report has been entered\n      into ARCS, and that vulnerabilities generated by system audits\n      required by GISRA are being tracked.\n\n3.    Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n      agreement to ensure that managers are held accountable for the\n      tracking, resolution, and timely implementation of OIG\n      recommendations. As stated for recommendation 1, the\n      documentation provided does not appear to be institutional policy.\n      This recommendation can be closed when we receive documentation\n      demonstrating that the guidance documents provided, or other specific\n      audit follow-up procedures, are institutionalized as policy within the\n      FBI\xe2\x80\x99s formal policy manuals, and that the ARCS database is complete.\n\n\n\n                                    - 145 -\n\x0c"